maria-discuss team mailing list archive
Mailing list archive
Re: Critical Update for CVE-2016-6662
Reindl Harald <h.reindl@xxxxxxxxxxxxx>
Mon, 12 Sep 2016 23:41:56 +0200
the lounge interactive design
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
Am 12.09.2016 um 23:38 schrieb Reinis Rozitis:
mysqld_safe != mysqld != something a client interacts with which
distribution out there is running *mysqld* as root?
Did you read the advisory or I don't get what your are arguing against/for?
A client interacts with a database which in some cases using simple SQL
is able to overwrite configuration files which then might be used a by a
safeguarding script (been there for ages). Further disclosure might
explain how it can be done even without FILE or SUPER privileges.
a service itself *must not* have the permissions to write it's config files
but "MySQL-Exploit-Remote-Root-Code-Execution" is written by fools
If you call someone a fool for disclosing such an attack vector (which
is aknowledged by all sides (the software developers / Mitre etc)) even
if as you think doesn't affect you is quite rude
"Root-Code-Execution" is clickbait