Re: mysql-client-5.0 package severly broken, critical security implications
* Alexander W. Janssen wrote:
> i'd like to point out that the version 5.0.22-2bpo1 of
> mysql-client-5.0 is severly broken.
>
> The command-line client /usr/bin/mysql wants to log everything into
> a file ~/.mysql_history. To prevent everything to be logged
> (passwords from GRANT-statements for instance) the manual-page says,
> that you can either set the variable MYSQL_HISTFILE to /dev/null or
> create a symlink called ~/.mysql_history pointing to /dev/null.
>
> However, in any case: /dev/null gets DELETED and replaced by A FILE
> with the content of .mysql_history! Deleting /dev/null on your
> system really brakes your system. This is a critical bug.
>
> The bug is reported at http://bugs.mysql.com/bug.php?id=16803 and
> was closed in Mysql-version 5.0.19-BK according to their site.
>
> I don't know if this is an upstream-error pointing to Debian Etch, i
> just had the feeling that they'd say "go bug the people from
> Backports".
>
> I documented the stuff
> here http://www.bloglines.com/blog/ITnomad?id=102
> here http://www.bloglines.com/blog/ITnomad?id=103
> and here: http://www.bloglines.com/blog/ITnomad?id=125
Christian? Any idea why this bug is still present in the Debian
package?
Norbert
Reply to: