[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

mysql-server local DOS vulnerability


I found a local DOS vulnerability in the mysql-server package. Since I
am not experienced in the field of computer security I have not
contacted upstream nor any other security list about the issue and would
be happy to get some feedback about the perceived severity of the
problem and appropriate action to be taken.

mysql has the configuration option max_connect_errors set to 10 in the
default install. This means that after ten connection errors (handshake
failed) the origin of these connection attempts is blocked from
connecting again.

This lets any local user that is deliberately creating 10 connect errors
block anyone from localhost to connect to the db. The block is not
automatically released but requires user interaction from the db admin
("mysqladmin flush-hosts").

Quick-Fix: Add the following line to the [mysqld] section of my.cnf

set-variable    = max_connect_errors=999999999

[see also: http://www.mysql.com/doc/F/L/FLUSH.html]

I found this on my woody installation (though maybe not the very latest
version) and I guess it is an issue for potato, too, since it can also
be found in upstream. I cc'ed the maintainer of mysql-server, Christian

best regards,

Thiemo Nagel

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: