openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #13066
Re: MySQL / MariaDB security vulnerability
Thanks Ewan,
Please note my findings on this CVE and feel free to correct / reply
with anything I have missed.
I've found in my tests of this CVE today that Percona 55-5.5.24 is not
vulnerable
(http://repo.percona.com/centos/6/os/x86_64/Percona-Server-server-55-5.5.24-rel26.0.256.rhel6.x86_64.rpm), whilst mysql v 5.5.23 is (5.5.23-1 on FC17), as such it appears Percona is not vulnerable to this attack though I am unsure from which version onward; rdp as the changelog was last updated in Fed 2011 ...
Also in testing I found that host ACLs can differ this issue, in that to
exploit this issue you must use a valid user@host (unless of course
there are wildcards), this assume therfor in a secure setup the granted
host must originate the attack for the target user.
Cheers
David
On Mon, 2012-06-11 at 19:46 +0100, Ewan Mellor wrote:
> Anyone who is using OpenStack with MySQL / MariaDB, please see this
> _extremely_ dangerous security vulnerability, announced on Saturday:
>
>
>
> https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
>
>
>
> Ewan.
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
Attachment:
signature.asc
Description: This is a digitally signed message part
References