Debian Bug report logs - #418672
mysql-server-5.0: Creates root accounts without password on upgrade

version graph

Package: mysql-server-5.0; Maintainer for mysql-server-5.0 is (unknown);

Reported by: Olaf van der Spek <olafvdspek@gmail.com>

Date: Wed, 11 Apr 2007 07:18:05 UTC

Severity: grave

Tags: confirmed, pending, security

Found in version mysql-dfsg-5.0/5.0.38-1

Fixed in version mysql-dfsg-5.0/5.0.38-2

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Christian Hammers <ch@debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Olaf van der Spek <olafvdspek@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Olaf van der Spek <olafvdspek@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Wed, 11 Apr 2007 09:17:41 +0200
Package: mysql-server-5.0
Version: 5.0.38-1
Severity: critical
Tags: security
Justification: root security hole

Hi,

I pressed Enter when it asked for a new password for root (root already had a password).
Three rows were inserted into mysql.user:
(0x6c6f63616c686f7374, 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0),
(0x632e787769732e6e6574, 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0),
(0x3132372e302e302e31, 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0);

One for 127.0.0.1, one for localhost and one for 'hostname'.

olaf@c:~$ mysql -u root -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
olaf@c:~$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages will be upgraded:
  mysql-server-5.0
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/25.4MB of archives.
After unpacking 287kB of additional disk space will be used.
Do you want to continue [Y/n]? 
Preconfiguring packages ...
(Reading database ... 32257 files and directories currently installed.)
Preparing to replace mysql-server-5.0 5.0.36-1 (using .../mysql-server-5.0_5.0.38-1_i386.deb) ...
Stopping MySQL database server: mysqld.
Stopping MySQL database server: mysqld.
Unpacking replacement mysql-server-5.0 ...
Setting up mysql-server-5.0 (5.0.38-1) ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
Configuring mysql-server-5.0
----------------------------

It is highly recommended that you set a password for the MySQL administrative "root" user.

If you do not provide a password no changes will be made to the account.

New password for MySQL "root" user: 



olaf@c:~$ mysql -u root -p
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.0.38-Debian_1-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> 



-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages mysql-server-5.0 depends on:
ii  adduser                     3.102        Add and remove users and groups
ii  debconf [debconf-2.0]       1.5.13       Debian configuration management sy
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libdbi-perl                 1.53-1       Perl5 database interface by Tim Bu
ii  libgcc1                     1:4.1.1-21   GCC support library
ii  libmysqlclient15off         5.0.38-1     mysql database client library
ii  libncurses5                 5.5-5        Shared libraries for terminal hand
ii  libreadline5                5.2-2        GNU readline and history libraries
ii  libstdc++6                  4.1.1-21     The GNU Standard C++ Library v3
ii  libwrap0                    7.6.dbs-13   Wietse Venema's TCP wrappers libra
ii  lsb-base                    3.1-23.1     Linux Standard Base 3.1 init scrip
ii  mysql-client-5.0            5.0.38-1     mysql database client binaries
ii  mysql-common                5.0.38-1     mysql database common files (e.g. 
ii  passwd                      1:4.0.18.1-7 change and administer password and
ii  perl                        5.8.8-7      Larry Wall's Practical Extraction 
ii  psmisc                      22.3-1       Utilities that use the proc filesy
ii  zlib1g                      1:1.2.3-13   compression library - runtime

Versions of packages mysql-server-5.0 recommends:
ii  mailx            1:8.1.2-0.20050715cvs-1 A simple mail user agent

-- debconf information:
  mysql-server-5.0/really_downgrade: false
* mysql-server-5.0/need_sarge_compat: false
  mysql-server-5.0/start_on_boot: true
  mysql-server/error_setting_password:
  mysql-server-5.0/mysql_update_hints1:
  mysql-server-5.0/nis_warning:
  mysql-server-5.0/postrm_remove_databases: false
  mysql-server-5.0/need_sarge_compat_done: true
  mysql-server-5.0/no_upgrade_with_isam_tables:
* mysql-server-5.0/mysql_install_db_notes:



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 418672@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Olaf van der Spek <olafvdspek@gmail.com>, 418672@bugs.debian.org
Cc: dc <control@bugs.debian.org>
Subject: Re: Bug#418672: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Wed, 11 Apr 2007 22:15:58 +0200
[Message part 1 (text/plain, inline)]
severity 418672 normal
tags 418672 - security
tags 418672 + unreproducible moreinfo
stop

Hi Olaf

On 2007-04-11 Olaf van der Spek wrote:
> I pressed Enter when it asked for a new password for root (root already
> had a password). Three rows were inserted into mysql.user:

> (0x6c6f63616c686f7374, 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
> 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
> 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0), (0x632e787769732e6e6574,
> 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
> 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
> '', '', '', '', 0, 0, 0, 0), (0x3132372e302e302e31, 0x726f6f74, '', 'Y',
> 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
> 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0,
> 0);

Those hex numbers translate to 'localhost', 'root' and '127.0.0.1' and there
are no quotes around them so I guess you set some special options to have
them displayed in such a strange way?

Anyway, I cannot reproduce a reset of the users passwords during a mysql
upgrade or "dpkg --reconfigure mysql-server-5.0". Can you try to reproduce
it yourself?

Also, please check against your backups and /var/log/mysql/ that you
*really* had a password set.

Are there other rows in the user table? Maybe some with a set password
and some without?

bye,

-christian-
[signature.asc (application/pgp-signature, attachment)]

Severity set to `normal' from `critical' Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Wed, 11 Apr 2007 20:21:03 GMT) Full text and rfc822 format available.

Tags removed: security Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Wed, 11 Apr 2007 20:21:04 GMT) Full text and rfc822 format available.

Tags added: unreproducible, moreinfo Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Wed, 11 Apr 2007 20:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to "Olaf van der Spek" <olafvdspek@gmail.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #21 received at 418672@bugs.debian.org (full text, mbox):

From: "Olaf van der Spek" <olafvdspek@gmail.com>
To: 418672@bugs.debian.org
Subject: Re: Bug#418672: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Wed, 11 Apr 2007 23:05:46 +0200
Hi,

On 4/11/07, Christian Hammers <ch@debian.org> wrote:
> severity 418672 normal

Why?

> tags 418672 - security

Why?

> Those hex numbers translate to 'localhost', 'root' and '127.0.0.1' and there
> are no quotes around them so I guess you set some special options to have
> them displayed in such a strange way?

Yes, I used phpMyAdmin - Export.

> Anyway, I cannot reproduce a reset of the users passwords during a mysql
> upgrade or "dpkg --reconfigure mysql-server-5.0". Can you try to reproduce
> it yourself?

Sure.

> Also, please check against your backups and /var/log/mysql/ that you
> *really* had a password set.

I'm quite sure, I noticed the 'behaviour' on three different systems.
mysql.err and mysql.log are empty and /var/log/mysql/ only contains
binary logs.

> Are there other rows in the user table? Maybe some with a set password
> and some without?

No, all had a password.

debian:~# apt-get install mysql-server-5.0
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
 libdbd-mysql-perl libdbi-perl libmysqlclient15off libnet-daemon-perl
libplrpc-perl mysql-client-5.0 mysql-common psmisc
Suggested packages:
 dbishell libcompress-zlib-perl tinyca
Recommended packages:
 mailx
The following NEW packages will be installed:
 libdbd-mysql-perl libdbi-perl libmysqlclient15off libnet-daemon-perl
libplrpc-perl mysql-client-5.0 mysql-common mysql-server-5.0 psmisc
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 35.1MB/35.2MB of archives.
After unpacking 92.1MB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://ftp.surfnet.nl etch/main mysql-common 5.0.32-7etch1 [52.9kB]
Get:2 http://ftp.surfnet.nl etch/main libnet-daemon-perl 0.38-1.1 [45.8kB]
Get:3 http://ftp.surfnet.nl etch/main libplrpc-perl 0.2017-1.1 [34.9kB]
Get:4 http://ftp.surfnet.nl etch/main libdbi-perl 1.53-1 [647kB]
Get:5 http://ftp.surfnet.nl etch/main libmysqlclient15off 5.0.32-7etch1 [1791kB]
Get:6 http://ftp.surfnet.nl etch/main libdbd-mysql-perl 3.0008-1
[140kB]
Get:7 http://ftp.surfnet.nl etch/main mysql-client-5.0 5.0.32-7etch1
[7193kB]
Get:8 http://ftp.surfnet.nl etch/main mysql-server-5.0 5.0.32-7etch1
[25.2MB]
Fetched 35.1MB in 2m21s (248kB/s)
Preconfiguring packages ...
Selecting previously deselected package mysql-common.
(Reading database ... 13005 files and directories currently installed.)
Unpacking mysql-common (from .../mysql-common_5.0.32-7etch1_all.deb) ...
Selecting previously deselected package libnet-daemon-perl.
Unpacking libnet-daemon-perl (from .../libnet-daemon-perl_0.38-1.1_all.deb) ...
Selecting previously deselected package libplrpc-perl.
Unpacking libplrpc-perl (from .../libplrpc-perl_0.2017-1.1_all.deb) ...
Selecting previously deselected package libdbi-perl.
Unpacking libdbi-perl (from .../libdbi-perl_1.53-1_i386.deb) ...
Selecting previously deselected package libmysqlclient15off.
Unpacking libmysqlclient15off (from
.../libmysqlclient15off_5.0.32-7etch1_i386.deb) ...
Selecting previously deselected package libdbd-mysql-perl.
Unpacking libdbd-mysql-perl (from .../libdbd-mysql-perl_3.0008-1_i386.deb) ...
Selecting previously deselected package mysql-client-5.0.
Unpacking mysql-client-5.0 (from
.../mysql-client-5.0_5.0.32-7etch1_i386.deb) ...
Selecting previously deselected package psmisc.
Unpacking psmisc (from .../psmisc/psmisc_22.3-1_i386.deb) ...
Setting up mysql-common (5.0.32-7etch1) ...
Selecting previously deselected package mysql-server-5.0.
(Reading database ... 13255 files and directories currently installed.)
Unpacking mysql-server-5.0 (from
.../mysql-server-5.0_5.0.32-7etch1_i386.deb) ...
Setting up libnet-daemon-perl (0.38-1.1) ...
Setting up libplrpc-perl (0.2017-1.1) ...
Setting up libdbi-perl (1.53-1) ...
Setting up libmysqlclient15off (5.0.32-7etch1) ...

Setting up libdbd-mysql-perl (3.0008-1) ...
Setting up mysql-client-5.0 (5.0.32-7etch1) ...
Setting up psmisc (22.3-1) ...

Setting up mysql-server-5.0 (5.0.32-7etch1) ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..

debian:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.32-Debian_7etch1-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from mysql.user;
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| Host      | User             | Password
   | Select_priv | Insert_priv | Update_priv | Delete_priv |
Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv |
File_priv | Grant_priv | References_priv | Index_priv | Alter_priv |
Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv |
Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv |
Show_view_priv | Create_routine_priv | Alter_routine_priv |
Create_user_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject
| max_questions | max_updates | max_connections | max_user_connections
|
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| localhost | root             |
   | Y           | Y           | Y           | Y           | Y
  | Y         | Y           | Y             | Y            | Y
| Y          | Y               | Y          | Y          | Y
 | Y          | Y                     | Y                | Y
 | Y               | Y                | Y                | Y
   | Y                   | Y                  | Y                |
     |            |             |              |             0 |
    0 |               0 |                    0 |
| debian    | root             |
   | Y           | Y           | Y           | Y           | Y
  | Y         | Y           | Y             | Y            | Y
| Y          | Y               | Y          | Y          | Y
 | Y          | Y                     | Y                | Y
 | Y               | Y                | Y                | Y
   | Y                   | Y                  | Y                |
     |            |             |              |             0 |
    0 |               0 |                    0 |
| localhost | debian-sys-maint |
*BA1EC5FB0A0C9E3AEA76EFA61D3C7225A3B978BF | Y           | Y
| Y           | Y           | Y           | Y         | Y           |
Y             | Y            | Y         | Y          | Y
| Y          | Y          | Y            | Y          | Y
       | Y                | Y            | Y               | Y
       | N                | N              | N                   | N
               | N                |          |            |
 |              |             0 |           0 |               0 |
              0 |
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
3 rows in set (0.00 sec)

mysql> delete from mysql.user where host = 'debian';
Query OK, 1 row affected (0.00 sec)

mysql> update mysql.user set host = '%', password = password('1234')
where user = 'root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
debian:~# mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
password: NO)
debian:~# mysql -p1234
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.0.32-Debian_7etch1-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> exit
Bye
debian:~# mysql -p1234
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.0.32-Debian_7etch1-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from mysql.user;
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| Host      | User             | Password
   | Select_priv | Insert_priv | Update_priv | Delete_priv |
Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv |
File_priv | Grant_priv | References_priv | Index_priv | Alter_priv |
Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv |
Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv |
Show_view_priv | Create_routine_priv | Alter_routine_priv |
Create_user_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject
| max_questions | max_updates | max_connections | max_user_connections
|
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| %         | root             |
*A4B6157319038724E3560894F7F932C8886EBFCF | Y           | Y
| Y           | Y           | Y           | Y         | Y           |
Y             | Y            | Y         | Y          | Y
| Y          | Y          | Y            | Y          | Y
       | Y                | Y            | Y               | Y
       | Y                | Y              | Y                   | Y
               | Y                |          |            |
 |              |             0 |           0 |               0 |
              0 |
| localhost | debian-sys-maint |
*BA1EC5FB0A0C9E3AEA76EFA61D3C7225A3B978BF | Y           | Y
| Y           | Y           | Y           | Y         | Y           |
Y             | Y            | Y         | Y          | Y
| Y          | Y          | Y            | Y          | Y
       | Y                | Y            | Y               | Y
       | N                | N              | N                   | N
               | N                |          |            |
 |              |             0 |           0 |               0 |
              0 |
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
2 rows in set (0.01 sec)

mysql> exit
Bye

debian:~# vi /etc/apt/sources.list (etch -> testing)

debian:~# apt-get update
Get:1 ftp://ftp.de.debian.org testing Release.gpg [189B]
Get:2 ftp://ftp.de.debian.org testing Release [68.5kB]
Get:3 ftp://ftp.de.debian.org testing/main Packages [5866kB]
Fetched 5935kB in 24s (241kB/s)
Reading package lists... Done
debian:~# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages will be upgraded:
 acpid base-files debconf debconf-i18n debconf-utils debianutils
findutils gzip klogd libacl1 libattr1 libedit2 libgpg-error0 libkrb53
libldap2 libmysqlclient15off libsepol1 manpages mysql-client-5.0
mysql-common mysql-server-5.0 netcat
 sysklogd tzdata vim-common vim-tiny
26 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 37.9MB of archives.
After unpacking 963kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 ftp://ftp.de.debian.org testing/main debianutils 2.18 [52.1kB]
Get:2 ftp://ftp.de.debian.org testing/main findutils 4.2.28-2 [351kB]
Get:3 ftp://ftp.de.debian.org testing/main gzip 1.3.9-2 [75.7kB]
Get:4 ftp://ftp.de.debian.org testing/main base-files 4.0 [34.5kB]
Get:5 ftp://ftp.de.debian.org testing/main debconf-i18n 1.5.13 [151kB]
Get:6 ftp://ftp.de.debian.org testing/main debconf 1.5.13 [148kB]
Get:7 ftp://ftp.de.debian.org testing/main mysql-common 5.0.38-1
[53.3kB]
Get:8 ftp://ftp.de.debian.org testing/main libmysqlclient15off
5.0.38-1 [1796kB]
Get:9 ftp://ftp.de.debian.org testing/main mysql-client-5.0 5.0.38-1
[7232kB]
Get:10 ftp://ftp.de.debian.org testing/main mysql-server-5.0 5.0.38-1
[25.4MB]
Get:11 ftp://ftp.de.debian.org testing/main libattr1 1:2.4.32-1.1
[9144B]
Get:12 ftp://ftp.de.debian.org testing/main libacl1 2.2.42-1 [15.1kB]
Get:13 ftp://ftp.de.debian.org testing/main libsepol1 1.14-3 [114kB]
Get:14 ftp://ftp.de.debian.org testing/main tzdata 2007d-1 [354kB]
Get:15 ftp://ftp.de.debian.org testing/main sysklogd 1.4.1-20 [58.3kB]
Get:16 ftp://ftp.de.debian.org testing/main klogd 1.4.1-20 [39.4kB]
Get:17 ftp://ftp.de.debian.org testing/main libgpg-error0 1.4-2
[34.6kB]
Get:18 ftp://ftp.de.debian.org testing/main libldap2 2.1.30-13.4
[151kB]
Get:19 ftp://ftp.de.debian.org testing/main manpages 2.43-0 [490kB]
Get:20 ftp://ftp.de.debian.org testing/main netcat 1.10-33 [66.6kB]
Get:21 ftp://ftp.de.debian.org testing/main vim-tiny 1:7.0-219+1
[542kB]
Get:22 ftp://ftp.de.debian.org testing/main vim-common 1:7.0-219+1
[209kB]
Get:23 ftp://ftp.de.debian.org testing/main libkrb53 1.4.4-8 [408kB]
Get:24 ftp://ftp.de.debian.org testing/main acpid 1.0.4-7.1 [26.3kB]
Get:25 ftp://ftp.de.debian.org testing/main debconf-utils 1.5.13
[40.8kB]
Get:26 ftp://ftp.de.debian.org testing/main libedit2
2.9.cvs.20050518-3 [55.8kB]
Fetched 37.9MB in 2m4s (305kB/s)
Preconfiguring packages ...
(Reading database ... 14806 files and directories currently installed.)
Preparing to replace debianutils 2.17 (using .../debianutils_2.18_i386.deb) ...
Unpacking replacement debianutils ...
Setting up debianutils (2.18) ...

(Reading database ... 14806 files and directories currently installed.)
Preparing to replace findutils 4.2.28-1 (using
.../findutils_4.2.28-2_i386.deb) ...
Unpacking replacement findutils ...
Setting up findutils (4.2.28-2) ...

(Reading database ... 14806 files and directories currently installed.)
Preparing to replace gzip 1.3.5-15 (using
.../archives/gzip_1.3.9-2_i386.deb) ...
Unpacking replacement gzip ...
Setting up gzip (1.3.9-2) ...

(Reading database ... 14806 files and directories currently installed.)
Preparing to replace base-files 4 (using .../base-files_4.0_i386.deb) ...
Unpacking replacement base-files ...
Setting up base-files (4.0) ...
Installing new version of config file /etc/debian_version ...
Installing new version of config file /etc/issue ...
Installing new version of config file /etc/issue.net ...

(Reading database ... 14806 files and directories currently installed.)
Preparing to replace debconf-i18n 1.5.11 (using
.../debconf-i18n_1.5.13_all.deb) ...
Unpacking replacement debconf-i18n ...
Preparing to replace debconf 1.5.11 (using .../debconf_1.5.13_all.deb) ...
Unpacking replacement debconf ...
Preparing to replace mysql-common 5.0.32-7etch1 (using
.../mysql-common_5.0.38-1_all.deb) ...
Unpacking replacement mysql-common ...
Preparing to replace libmysqlclient15off 5.0.32-7etch1 (using
.../libmysqlclient15off_5.0.38-1_i386.deb) ...
Unpacking replacement libmysqlclient15off ...
Preparing to replace mysql-client-5.0 5.0.32-7etch1 (using
.../mysql-client-5.0_5.0.38-1_i386.deb) ...
Unpacking replacement mysql-client-5.0 ...
Setting up mysql-common (5.0.38-1) ...
(Reading database ... 14806 files and directories currently installed.)
Preparing to replace mysql-server-5.0 5.0.32-7etch1 (using
.../mysql-server-5.0_5.0.38-1_i386.deb) ...
Stopping MySQL database server: mysqld.
Stopping MySQL database server: mysqld.
Unpacking replacement mysql-server-5.0 ...
Preparing to replace libattr1 2.4.32-1 (using
.../libattr1_1%3a2.4.32-1.1_i386.deb) ...
Unpacking replacement libattr1 ...
Preparing to replace libacl1 2.2.41-1 (using .../libacl1_2.2.42-1_i386.deb) ...
Unpacking replacement libacl1 ...
Setting up libattr1 (2.4.32-1.1) ...

Setting up libacl1 (2.2.42-1) ...

(Reading database ... 14847 files and directories currently installed.)
Preparing to replace libsepol1 1.14-2 (using .../libsepol1_1.14-3_i386.deb) ...
Unpacking replacement libsepol1 ...
Setting up libsepol1 (1.14-3) ...

(Reading database ... 14847 files and directories currently installed.)
Preparing to replace tzdata 2007b-1 (using .../tzdata_2007d-1_all.deb) ...
Unpacking replacement tzdata ...
Setting up tzdata (2007d-1) ...
Current default timezone: 'Europe/Amsterdam'.
Local time is now:      Wed Apr 11 23:00:49 CEST 2007.
Universal Time is now:  Wed Apr 11 21:00:49 UTC 2007.
Run 'tzconfig' if you wish to change it.

(Reading database ... 14853 files and directories currently installed.)
Preparing to replace sysklogd 1.4.1-18 (using
.../sysklogd_1.4.1-20_i386.deb) ...
Unpacking replacement sysklogd ...
Preparing to replace klogd 1.4.1-18 (using .../klogd_1.4.1-20_i386.deb) ...
Unpacking replacement klogd ...
Preparing to replace libgpg-error0 1.4-1 (using
.../libgpg-error0_1.4-2_i386.deb) ...
Unpacking replacement libgpg-error0 ...
Preparing to replace libldap2 2.1.30-13.3 (using
.../libldap2_2.1.30-13.4_i386.deb) ...
Unpacking replacement libldap2 ...
Preparing to replace manpages 2.39-1 (using .../manpages_2.43-0_all.deb) ...
Unpacking replacement manpages ...
Preparing to replace netcat 1.10-32 (using .../netcat_1.10-33_i386.deb) ...
Unpacking replacement netcat ...
Preparing to replace vim-tiny 1:7.0-122+1etch2 (using
.../vim-tiny_1%3a7.0-219+1_i386.deb) ...
Unpacking replacement vim-tiny ...
Preparing to replace vim-common 1:7.0-122+1etch2 (using
.../vim-common_1%3a7.0-219+1_i386.deb) ...
Unpacking replacement vim-common ...
Preparing to replace libkrb53 1.4.4-7etch1 (using
.../libkrb53_1.4.4-8_i386.deb) ...
Unpacking replacement libkrb53 ...
Preparing to replace acpid 1.0.4-5 (using .../acpid_1.0.4-7.1_i386.deb) ...
Stopping Advanced Configuration and Power Interface daemon: acpid.
Unpacking replacement acpid ...
dpkg: warning - unable to delete old directory `/etc/acpi/events':
Directory not empty
dpkg: warning - unable to delete old directory `/etc/acpi': Directory not empty
Preparing to replace debconf-utils 1.5.11 (using
.../debconf-utils_1.5.13_all.deb) ...
Unpacking replacement debconf-utils ...
Preparing to replace libedit2 2.9.cvs.20050518-2.2 (using
.../libedit2_2.9.cvs.20050518-3_i386.deb) ...
Unpacking replacement libedit2 ...
Setting up libmysqlclient15off (5.0.38-1) ...

Setting up mysql-client-5.0 (5.0.38-1) ...
Setting up libgpg-error0 (1.4-2) ...

Setting up libldap2 (2.1.30-13.4) ...

Setting up manpages (2.43-0) ...
Setting up netcat (1.10-33) ...
Setting up vim-common (7.0-219+1) ...

Setting up vim-tiny (7.0-219+1) ...

Setting up libkrb53 (1.4.4-8) ...

Setting up acpid (1.0.4-7.1) ...
Installing new version of config file /etc/init.d/acpid ...
Installing new version of config file /etc/logrotate.d/acpid ...
Loading ACPI modules....
Starting Advanced Configuration and Power Interface daemon....

Setting up libedit2 (2.9.cvs.20050518-3) ...

Setting up klogd (1.4.1-20) ...
Installing new version of config file /etc/init.d/klogd ...
Stopping kernel log daemon....
Starting kernel log daemon....

Setting up sysklogd (1.4.1-20) ...
Installing new version of config file /etc/init.d/sysklogd ...
Installing new version of config file /etc/cron.daily/sysklogd ...
Stopping system log daemon....
Starting system log daemon....

Setting up debconf-i18n (1.5.13) ...
Setting up debconf (1.5.13) ...

Setting up mysql-server-5.0 (5.0.38-1) ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..

Setting up debconf-utils (1.5.13) ...

debian:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.38-Debian_1-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from mysql.user;
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| Host      | User             | Password
   | Select_priv | Insert_priv | Update_priv | Delete_priv |
Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv |
File_priv | Grant_priv | References_priv | Index_priv | Alter_priv |
Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv |
Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv |
Show_view_priv | Create_routine_priv | Alter_routine_priv |
Create_user_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject
| max_questions | max_updates | max_connections | max_user_connections
|
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| %         | root             |
*A4B6157319038724E3560894F7F932C8886EBFCF | Y           | Y
| Y           | Y           | Y           | Y         | Y           |
Y             | Y            | Y         | Y          | Y
| Y          | Y          | Y            | Y          | Y
       | Y                | Y            | Y               | Y
       | Y                | Y              | Y                   | Y
               | Y                |          |            |
 |              |             0 |           0 |               0 |
              0 |
| localhost | debian-sys-maint |
*BA1EC5FB0A0C9E3AEA76EFA61D3C7225A3B978BF | Y           | Y
| Y           | Y           | Y           | Y         | Y           |
Y             | Y            | Y         | Y          | Y
| Y          | Y          | Y            | Y          | Y
       | Y                | Y            | Y               | Y
       | N                | N              | N                   | N
               | N                |          |            |
 |              |             0 |           0 |               0 |
              0 |
| localhost | root             |
   | Y           | Y           | Y           | Y           | Y
  | Y         | Y           | Y             | Y            | Y
| Y          | Y               | Y          | Y          | Y
 | Y          | Y                     | Y                | Y
 | Y               | Y                | Y                | Y
   | Y                   | Y                  | Y                |
     |            |             |              |             0 |
    0 |               0 |                    0 |
| debian    | root             |
   | Y           | Y           | Y           | Y           | Y
  | Y         | Y           | Y             | Y            | Y
| Y          | Y               | Y          | Y          | Y
 | Y          | Y                     | Y                | Y
 | Y               | Y                | Y                | Y
   | Y                   | Y                  | Y                |
     |            |             |              |             0 |
    0 |               0 |                    0 |
| 127.0.0.1 | root             |
   | Y           | Y           | Y           | Y           | Y
  | Y         | Y           | Y             | Y            | Y
| Y          | Y               | Y          | Y          | Y
 | Y          | Y                     | Y                | Y
 | Y               | Y                | Y                | Y
   | Y                   | Y                  | Y                |
     |            |             |              |             0 |
    0 |               0 |                    0 |
+-----------+------------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
5 rows in set (0.00 sec)

mysql> exit
Bye
debian:~#



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #26 received at 418672@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: "Olaf van der Spek" <olafvdspek@gmail.com>, Sean Finney <seanius@debian.org>, 418672@bugs.debian.org
Cc: dc <control@bugs.debian.org>
Subject: Re: Bug#418672: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Thu, 12 Apr 2007 01:40:59 +0200
[Message part 1 (text/plain, inline)]
severity 418672 grave
tags 418672 + security confirmed
tags 418672 - unreproducible moreinfo
stop

Hello

On 2007-04-11 Olaf van der Spek wrote:
> > severity 418672 normal
> Why?
Standard procedure for bugs that are unreproducible on the first try
so that security team & co do not waste time on them.

> > Anyway, I cannot reproduce a reset of the users passwords during a mysql
> > upgrade or "dpkg --reconfigure mysql-server-5.0". Can you try to
> > reproduce it yourself?
> Sure.
Thanks for the detailed trace. The symptom did not appear for me as I had
a different mysql.user table on which the INSERTs silently failed. I can
confirm it however for fresh installs on etch and above (didn't try sarge
yet).
The root of the problem is that the mysql_install_db script which gets
called in postinst changed its behaviour and the comment "save to use on
existing tables" is no longer true - it now unconditionally installs the
three new entries.

Sean, do you have time do deal with this as I'm away from tomorrow evening?

The first idea for a fix would be to only call mysql_install_db if no
$datadir/mysql/user.frm exists.
We call mysql_upgrade somewhen in /etc/mysql/debian-start IIRC so an upgrade
from 4.0/4.1 to 5.0 table format should be made (better check if our format
from postinst is really the same than that in mysql_upgrade.

bye,

-christian-
[signature.asc (application/pgp-signature, attachment)]

Severity set to `grave' from `normal' Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Wed, 11 Apr 2007 23:42:03 GMT) Full text and rfc822 format available.

Tags added: security, confirmed Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Wed, 11 Apr 2007 23:42:04 GMT) Full text and rfc822 format available.

Tags removed: unreproducible, moreinfo Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Wed, 11 Apr 2007 23:42:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #37 received at 418672@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Christian Hammers <ch@debian.org>, 418672@bugs.debian.org
Cc: Olaf van der Spek <olafvdspek@gmail.com>, dc <control@bugs.debian.org>
Subject: Re: Bug#418672: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Fri, 13 Apr 2007 23:35:23 +0200
[Message part 1 (text/plain, inline)]
tags 41862 + moreinfo
thanks

hi guys,

i haven't been able to reproduce this, but this could be my fault as the
only way i have to test this is by upgrading an etch chroot to sid in
cowbuilder.  i'm doing the following:

# undo some of the "don't do stuff in the chroot" stuff
unset DEBIAN_FRONTEND
apt-get install dialog less vim
sed -i -e 's,makedev,makedev|mysql,' /usr/sbin/policy-rc.d
echo set debconf/priority low | debconf-communicate debconf

# sorry about the line wrapping, but it should be clear what's going on
apt-get install mysql-server
mysql -e 'update mysql.user set password=PASSWORD("foo") where
user="root"; flush privileges;'
mysql -pfoo -e 'delete from mysql.user where user="root" and
host="copelandia"; flush privileges;'
sed -i -e 's/etch/testing/g' /etc/apt/sources.list
apt-get update; apt-get upgrade;

and after all of this the passwords are still set as they were before.
what am i missing?


but secondly, i think i've found two bug reports in mysql's bts that may
be of interest:

http://bugs.mysql.com/bug.php?id=27022

...in which even newer versions of mysql_install_db were causing trouble
when being called a second time on the same directory.  and more
importantly:

http://bugs.mysql.com/bug.php?id=27783

...in which it's stated that mysql_install_db *should* be idempotent, at
least wrt the mysql.user tables.  btw this was reported yesterday and
fixed today.

i don't have much more time to look into things tonight, but i wasn't
expecting to have any time to look at things in the first place tonight.
i will have a few hours tomorrow though... so olaf if you could provide
me with the missing info i'd appreciate it.  if the new mysql_install_db
fixes things that's great but i'd still like to have some test code to
verify this.


	sean

On Thu, 2007-04-12 at 01:40 +0200, Christian Hammers wrote:
> Sean, do you have time do deal with this as I'm away from tomorrow evening?
> 
> The first idea for a fix would be to only call mysql_install_db if no
> $datadir/mysql/user.frm exists.

i think the new version of mysql_install_db does something like this.


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to "Olaf van der Spek" <olafvdspek@gmail.com>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #42 received at 418672@bugs.debian.org (full text, mbox):

From: "Olaf van der Spek" <olafvdspek@gmail.com>
To: "Christian Hammers" <ch@debian.org>
Cc: 418672@bugs.debian.org
Subject: Re: Bug#418672: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Sat, 14 Apr 2007 09:26:20 +0200
Hi,

> Cc: Olaf van der Spek <olafvdspek@gmail.com>,

I didn't receive your mail. :(

> mysql -e 'update mysql.user set password=PASSWORD("foo") where user="root"; flush privileges;'

> mysql -pfoo -e 'delete from mysql.user where user="root" and host="copelandia"; flush privileges;'

That's not what I did.

mysql> delete from mysql.user where host = 'debian';
mysql> update mysql.user set host = '%', password = password('1234')
where user = 'root';
mysql> flush privileges;

In particular, you didn't change host to %.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #47 received at 418672@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: sean finney <seanius@debian.org>, 418672@bugs.debian.org
Cc: 418672@bugs.debian.org, Olaf van der Spek <olafvdspek@gmail.com>
Subject: Re: Bug#418672: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Tue, 17 Apr 2007 01:13:53 +0200
[Message part 1 (text/plain, inline)]
Hi

On 2007-04-13 sean finney wrote:
> and after all of this the passwords are still set as they were before.
> what am i missing?

The old entry is preseved but you should have three additional ones.
Depending on the host field you may or may not get asked for the password.

> http://bugs.mysql.com/bug.php?id=27783
> 
> ...in which it's stated that mysql_install_db *should* be idempotent, at
> least wrt the mysql.user tables.  btw this was reported yesterday and
> fixed today.

That one's great. I've used it and upload a fix to unstable soon.


Any suggestions what we do about existing installations? Print a warning
in debian-start when there are root accounts with and ones without a
password? This would go to syslog on every server start and well cannot hurt
anyway, or?

bye,

-christian-
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Olaf van der Spek <olafvdspek@gmail.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #52 received at 418672-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 418672-close@bugs.debian.org
Subject: Bug#418672: fixed in mysql-dfsg-5.0 5.0.38-2
Date: Tue, 17 Apr 2007 01:02:06 +0000
Source: mysql-dfsg-5.0
Source-Version: 5.0.38-2

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:

libmysqlclient15-dev_5.0.38-2_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.38-2_amd64.deb
libmysqlclient15off_5.0.38-2_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.38-2_amd64.deb
mysql-client-5.0_5.0.38-2_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.38-2_amd64.deb
mysql-client_5.0.38-2_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.38-2_all.deb
mysql-common_5.0.38-2_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.38-2_all.deb
mysql-dfsg-5.0_5.0.38-2.diff.gz
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.38-2.diff.gz
mysql-dfsg-5.0_5.0.38-2.dsc
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.38-2.dsc
mysql-server-4.1_5.0.38-2_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.38-2_amd64.deb
mysql-server-5.0_5.0.38-2_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.38-2_amd64.deb
mysql-server_5.0.38-2_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.38-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 418672@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated mysql-dfsg-5.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Apr 2007 01:00:41 +0200
Source: mysql-dfsg-5.0
Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server mysql-server-4.1 mysql-server-5.0 mysql-common libmysqlclient15off
Architecture: source all amd64
Version: 5.0.38-2
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 libmysqlclient15-dev - mysql database development files
 libmysqlclient15off - mysql database client library
 mysql-client - mysql database client (meta package depending on the latest versi
 mysql-client-5.0 - mysql database client binaries
 mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
 mysql-server - mysql database server (meta package depending on the latest versi
 mysql-server-4.1 - mysql database server (transitional package)
 mysql-server-5.0 - mysql database server binaries
Closes: 418672
Changes: 
 mysql-dfsg-5.0 (5.0.38-2) unstable; urgency=high
 .
   * SECURITY:
     In some previous versions mysql_install_db was not idempotent and did
     always create passwordless root accounts although it should only on
     initial installs (thanks to Olaf van der Spek). Closes: #418672
   * Added check for passwordless root accounts to debian-start.
   * As MySQL-5.0 is, at least currently, incompatible with Kernel 2.4 the
     installation is aborted for such old kernels. Debian Etch does not support
     them anyway according to the release notes but this might be unexpected
     and many production servers still have self build ones installed (thanks
     to Marc-Christian Petersen). See: #416841
   * Adjusted TeX build-deps to texlive.
Files: 
 ed55d0c23147282b9015e567f7af2c59 1090 misc optional mysql-dfsg-5.0_5.0.38-2.dsc
 64da8dc7cbd291d19cfd21c10cd83f01 146029 misc optional mysql-dfsg-5.0_5.0.38-2.diff.gz
 0e581d3afa355e7da0e41e58b38f6982 54322 misc optional mysql-common_5.0.38-2_all.deb
 e596e1e70b640aa625531c9542868d2a 47478 misc optional mysql-server_5.0.38-2_all.deb
 86ef52026f99ec8636a43bcf5a3523a6 45266 misc optional mysql-client_5.0.38-2_all.deb
 e5c6746db995751e7858643cbac929f6 1838220 libs optional libmysqlclient15off_5.0.38-2_amd64.deb
 dfc8a3407f082ec23d63807ececebad1 7409422 libdevel optional libmysqlclient15-dev_5.0.38-2_amd64.deb
 644a2c812c9cb5b7e4a3a5e574aac00f 7585834 misc optional mysql-client-5.0_5.0.38-2_amd64.deb
 2fa9db5a4371c8763968ba9cf7abb167 26064750 misc optional mysql-server-5.0_5.0.38-2_amd64.deb
 fcfb5d69249ff2e0ab3fe22748378a53 47364 oldlibs extra mysql-server-4.1_5.0.38-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkYkGhYACgkQkR9K5oahGOaNtwCgunCq0tXEjfmKkehDXqslQoQv
cJcAoJQJpCkwCEs3JQ4YeNQyncRexlQ4
=ktEq
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #57 received at 418672@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Christian Hammers <ch@debian.org>, 418672@bugs.debian.org
Cc: Olaf van der Spek <olafvdspek@gmail.com>
Subject: Re: Bug#418672: mysql-server-5.0: Creates root accounts without password on upgrade
Date: Tue, 17 Apr 2007 08:14:37 +0200
[Message part 1 (text/plain, inline)]
hey christian,


On Tue, 2007-04-17 at 01:13 +0200, Christian Hammers wrote:
> > http://bugs.mysql.com/bug.php?id=27783
> > 
> > ...in which it's stated that mysql_install_db *should* be idempotent, at
> > least wrt the mysql.user tables.  btw this was reported yesterday and
> > fixed today.
> 
> That one's great. I've used it and upload a fix to unstable soon.
>
> Any suggestions what we do about existing installations? Print a warning
> in debian-start when there are root accounts with and ones without a
> password? This would go to syslog on every server start and well cannot hurt
> anyway, or?

i think that's probably the best approach, yeah.  because it's also
possible that someone has set things up so that root needs a password
remotely but not locally.  unless there's a good way to tell the
difference between these two situations i don't know that we should do
anything more than log a warning.


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #62 received at 418672@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 418672@bugs.debian.org
Subject: 5.0.32-7etch1 has this bug
Date: Wed, 25 Apr 2007 13:22:03 +1100
I just did a fresh install of mysql-server-5.0 on an AMD64 system which had 
never been used to run any version of MySQL before.  It has root accounts 
with no passwords.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #67 received at 418672@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: russell@coker.com.au, 418672@bugs.debian.org
Subject: Re: Bug#418672: 5.0.32-7etch1 has this bug
Date: Wed, 25 Apr 2007 08:36:12 +0200
[Message part 1 (text/plain, inline)]
hi,

On Wed, 2007-04-25 at 13:22 +1100, Russell Coker wrote:
> I just did a fresh install of mysql-server-5.0 on an AMD64 system which had 
> never been used to run any version of MySQL before.  It has root accounts 
> with no passwords.

i believe the bug in question was about an existing installation with a
password being upgraded in such a way that root could log in afterwards
without a password.

empty passwords are actually the *default* with mysql databases, though
in debian we've value-added some debconf-based password setting.  still,
if you don't see the questions or othewrise decline these questions the
default remains.


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #72 received at 418672@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: sean finney <seanius@debian.org>
Cc: 418672@bugs.debian.org
Subject: Re: Bug#418672: 5.0.32-7etch1 has this bug
Date: Wed, 25 Apr 2007 19:40:08 +1100
On Wednesday 25 April 2007 16:36, sean finney <seanius@debian.org> wrote:
> On Wed, 2007-04-25 at 13:22 +1100, Russell Coker wrote:
> > I just did a fresh install of mysql-server-5.0 on an AMD64 system which
> > had never been used to run any version of MySQL before.  It has root
> > accounts with no passwords.
>
> i believe the bug in question was about an existing installation with a
> password being upgraded in such a way that root could log in afterwards
> without a password.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418955

My above bug report was closed as a duplicate of this.

> empty passwords are actually the *default* with mysql databases, though
> in debian we've value-added some debconf-based password setting.  still,
> if you don't see the questions or othewrise decline these questions the
> default remains.

Empty passwords by default might be OK for a source based install of MySQL, 
but they are not OK for a Debian install.  Debian packages should be expected 
to be secure by default!

The fact that I was asked no questions on several installs of MySQL in both 
Etch and Unstable is a bug in the MySQL packages.  Should I continue the 
issue here or re-open my other bug report?




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #77 received at 418672@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: russell@coker.com.au, 418672@bugs.debian.org
Subject: Re: Bug#418672: 5.0.32-7etch1 has this bug
Date: Wed, 25 Apr 2007 18:31:14 +0200
[Message part 1 (text/plain, inline)]
On Wed, 2007-04-25 at 19:40 +1100, Russell Coker wrote:
> On Wednesday 25 April 2007 16:36, sean finney <seanius@debian.org> wrote:
> > On Wed, 2007-04-25 at 13:22 +1100, Russell Coker wrote:
> > > I just did a fresh install of mysql-server-5.0 on an AMD64 system which
> > > had never been used to run any version of MySQL before.  It has root
> > > accounts with no passwords.
> >
> > i believe the bug in question was about an existing installation with a
> > password being upgraded in such a way that root could log in afterwards
> > without a password.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418955
> 
> My above bug report was closed as a duplicate of this.

ah, okay.  i think some wires must have gotten crossed then.

> > empty passwords are actually the *default* with mysql databases, though
> > in debian we've value-added some debconf-based password setting.  still,
> > if you don't see the questions or othewrise decline these questions the
> > default remains.
> 
> Empty passwords by default might be OK for a source based install of MySQL, 
> but they are not OK for a Debian install.  Debian packages should be expected 
> to be secure by default!

i think it's fairly common knowledge that this is to be expected when
installing mysql, as you will find this to be the case for every other
distribution of unix/linux that includes mysql.

however, in principle i agree with you--hence we went out of our way to
do the password prompt stuff in the first place.  perhaps we should
consider raising the priority of the question (currently i believe it's
medium, which is why you didn't see it maybe?).


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Olaf van der Spek <OvdSpek@LIACS.NL>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #82 received at 418672@bugs.debian.org (full text, mbox):

From: Olaf van der Spek <OvdSpek@LIACS.NL>
To: 418672@bugs.debian.org
Subject: (no subject)
Date: Wed, 25 Apr 2007 23:23:06 +0200
> i think it's fairly common knowledge that this is to be expected when
installing mysql, as you will find this to be the case for every other
distribution of unix/linux that includes mysql.

Unfortunately, yes. It's also upstreams fault.
But why can't Debian do better?

A apt-get install mysql-server after a default Debian Etch install does 
not ask for a password. If that's due to the priority, the priority of 
the question should be raised.

Although I'll say again that I'd prefer an auto generated random 
password that the install script stores somewhere securely.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#418672; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #87 received at 418672@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: sean finney <seanius@debian.org>
Cc: 418672@bugs.debian.org
Subject: Re: Bug#418672: 5.0.32-7etch1 has this bug
Date: Thu, 26 Apr 2007 10:07:23 +1100
On Thursday 26 April 2007 02:31, sean finney <seanius@debian.org> wrote:
> > Empty passwords by default might be OK for a source based install of
> > MySQL, but they are not OK for a Debian install.  Debian packages should
> > be expected to be secure by default!
>
> i think it's fairly common knowledge that this is to be expected when
> installing mysql, as you will find this to be the case for every other
> distribution of unix/linux that includes mysql.

If it was common knowledge then surely I would have known it years ago!

The big advantage of MySQL over all other options is the low level of skill 
needed to administer it.  Oracle requires a dedicated DBA with a six figure 
salary.  PostgreSQL requires a good sys-admin who has experience and knows 
SQL.  MySQL generally works for anyone who wants to turn it on.

> however, in principle i agree with you--hence we went out of our way to
> do the password prompt stuff in the first place.  perhaps we should
> consider raising the priority of the question (currently i believe it's
> medium, which is why you didn't see it maybe?).

I believe that if there is an option to run a system with no administrative 
password then the question about it should be at the highest priority, or the 
password should be set to a random value (from /dev/random) by default.




Tags added: pending Request was from Sean Finney <seanius@alioth.debian.org> to control@bugs.debian.org. (Tue, 08 May 2007 19:06:08 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 10:26:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 12:31:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.