Debian Bug report logs - #711600
mysql-server: CVE-2013-2162: Insecure creation of the credential file debian.cnf

version graph

Package: mysql-server; Maintainer for mysql-server is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>; Source for mysql-server is src:mysql-5.5.

Reported by: vladz <vladz@devzero.fr>

Date: Sat, 8 Jun 2013 10:30:01 UTC

Severity: important

Tags: security

Found in versions mysql-5.5/5.5.17-1, mysql-5.5/5.5.31+dfsg-0+wheezy1

Fixed in versions mysql-5.5/5.5.33+dfsg-0+wheezy1, mysql-5.5/5.5.35+dfsg-1

Done: James Page <jamespage@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#711600; Package mysql-server. (Sat, 08 Jun 2013 10:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to vladz <vladz@devzero.fr>:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Sat, 08 Jun 2013 10:30:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: vladz <vladz@devzero.fr>
To: submit@bugs.debian.org
Subject: Insecure creation of the credential file debian.cnf
Date: Sat, 8 Jun 2013 12:26:35 +0200
Package: mysql-server
Version: 5.5.31+dfsg-0+wheezy1
Tags: security

The file "/etc/mysql/debian.cnf", which contains plain text credentials
for the "debian-sys-maint" mysql user, is created in an insecure manner
during the package installation phase.  This can lead a non-privileged
local user to disclose its content and use this special account to
perform administration tasks.

The file is created by the post-installation script:

  $ vim -c "set nu" mysql-5.5-5.5.31+dfsg/debian/mysql-server-5.5.postinst
  [...]
  170     dc=$mysql_cfgdir/debian.cnf;
  [...]
  176         cat /dev/null > $dc
  [...]
  178         echo "[client]" >>$dc
  179         echo "host     = localhost" >>$dc
  180         echo "user     = debian-sys-maint" >>$dc
  181         echo "password = $pass" >>$dc
  [...]
  191     chown 0:0 $dc
  192     chmod 0600 $dc
    
There is a time lapse (between lines 176 and 191) where the file
permissions are 644 (settled by the default umask).  At this time, a
user can open the file with the O_RDONLY flag and disclose its content
even after the chmod is executed at line 192 (yes, the user's file
descriptor won't be affected by this action).

Anyway, I suggest to force a umask value to 077 before this file is
created.

I have a trivial PoC if needed.

Thanks,
vladz.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#711600; Package mysql-server. (Sun, 09 Jun 2013 07:51:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Sun, 09 Jun 2013 07:51:22 GMT) Full text and rfc822 format available.

Message #10 received at 711600@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: vladz <vladz@devzero.fr>, 711600@bugs.debian.org
Subject: Re: Bug#711600: Insecure creation of the credential file debian.cnf
Date: Sun, 9 Jun 2013 09:29:06 +0200
Control: severity -1 important
Control: retitle -1 mysql-server: CVE-2013-2162: Insecure creation of the credential file debian.cnf

Hi

On Sat, Jun 08, 2013 at 12:26:35PM +0200, vladz wrote:
> Package: mysql-server
> Version: 5.5.31+dfsg-0+wheezy1
> Tags: security
> 
> The file "/etc/mysql/debian.cnf", which contains plain text credentials
> for the "debian-sys-maint" mysql user, is created in an insecure manner
> during the package installation phase.  This can lead a non-privileged
> local user to disclose its content and use this special account to
> perform administration tasks.
> 
> The file is created by the post-installation script:
> 
>   $ vim -c "set nu" mysql-5.5-5.5.31+dfsg/debian/mysql-server-5.5.postinst
>   [...]
>   170     dc=$mysql_cfgdir/debian.cnf;
>   [...]
>   176         cat /dev/null > $dc
>   [...]
>   178         echo "[client]" >>$dc
>   179         echo "host     = localhost" >>$dc
>   180         echo "user     = debian-sys-maint" >>$dc
>   181         echo "password = $pass" >>$dc
>   [...]
>   191     chown 0:0 $dc
>   192     chmod 0600 $dc
>     
> There is a time lapse (between lines 176 and 191) where the file
> permissions are 644 (settled by the default umask).  At this time, a
> user can open the file with the O_RDONLY flag and disclose its content
> even after the chmod is executed at line 192 (yes, the user's file
> descriptor won't be affected by this action).
> 
> Anyway, I suggest to force a umask value to 077 before this file is
> created.
> 
> I have a trivial PoC if needed.

A CVE id was assigned to this issue: CVE-2013-2162. When you fix this
issue please make sure to include the CVE in the changelog.

Regards,
Salvatore



Severity set to 'important' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to 711600-submit@bugs.debian.org. (Sun, 09 Jun 2013 07:51:22 GMT) Full text and rfc822 format available.

Changed Bug title to 'mysql-server: CVE-2013-2162: Insecure creation of the credential file debian.cnf' from 'Insecure creation of the credential file debian.cnf' Request was from Salvatore Bonaccorso <carnil@debian.org> to 711600-submit@bugs.debian.org. (Sun, 09 Jun 2013 07:51:23 GMT) Full text and rfc822 format available.

Marked as found in versions mysql-5.5/5.5.17-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 15 Dec 2013 22:21:10 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 22 Dec 2013 12:51:29 GMT) Full text and rfc822 format available.

Notification sent to vladz <vladz@devzero.fr>:
Bug acknowledged by developer. (Sun, 22 Dec 2013 12:51:29 GMT) Full text and rfc822 format available.

Message #21 received at 711600-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 711600-close@bugs.debian.org
Subject: Bug#711600: fixed in mysql-5.5 5.5.33+dfsg-0+wheezy1
Date: Sun, 22 Dec 2013 12:47:33 +0000
Source: mysql-5.5
Source-Version: 5.5.33+dfsg-0+wheezy1

We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 711600@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mysql-5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Dec 2013 22:29:18 +0100
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5
Architecture: source all amd64
Version: 5.5.33+dfsg-0+wheezy1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.5 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.5 - MySQL database server binaries and system database setup
 mysql-server-core-5.5 - MySQL database server binaries
 mysql-source-5.5 - MySQL source
 mysql-testsuite-5.5 - MySQL testsuite
Closes: 711600
Changes: 
 mysql-5.5 (5.5.33+dfsg-0+wheezy1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Imported Upstream version 5.5.33+dfsg
     - Fixes: CVE-2013-5807 CVE-2013-3839 CVE-2013-3812 CVE-2013-3809
       CVE-2013-3804 CVE-2013-3802 CVE-2013-3793 CVE-2013-3783 CVE-2013-1861
   * Update copyright years for upstream files
   * Add patches to disable the test database and anonymous access
     d/p/33_scripts__mysql_create_system_tables__no_test.patch,
     d/p/41_scripts__mysql_install_db.sh__no_test.patch,
     d/p/50_mysql-test__db_test.patch: Restored from mysql-5.1 package,
     inadvertently dropped in 5.5 transition. This removes the global
     anonymous access to the database which is a security concern.
   * CVE-2013-2162: Insecure creation of the credential file debian.cnf.
     Set umask to 066 before creating debian.cnf file. (Closes: #711600)
     (LP: #1185573)
   * Add 73_fix_rpl_deadlock_innodb_test.patch.
     Fixes failing rpl.rpl_deadlock_innodb test by ignoring warnings.
   * Disable more test after dropping the test databases
     plugin_auth, plugin_auth_qa_1 and plugin_auth_qa_2 fail as they need to
     operate on test_ databases. Some adaption to either the tests or
     50_mysql-test__db_test.patch might be further needed.
   * Add NEWS file to document changes needed to existing databases
Checksums-Sha1: 
 72ff94974e1d116e679e1455615ceeb54bd86c47 3016 mysql-5.5_5.5.33+dfsg-0+wheezy1.dsc
 21da4790c6bb6fa1d2acdbe270c671b5d3bac9d2 21279667 mysql-5.5_5.5.33+dfsg.orig.tar.gz
 eef910258810f29cc887a0b5ccb67d5d55cb2142 376373 mysql-5.5_5.5.33+dfsg-0+wheezy1.debian.tar.gz
 c82cf204d03a40f687f3caac16e55e8071bfaaf8 80306 mysql-common_5.5.33+dfsg-0+wheezy1_all.deb
 03f5d7133bbc59c18dd273fac3ee59591b6c5cc7 78562 mysql-server_5.5.33+dfsg-0+wheezy1_all.deb
 3aac79038fd6ddcd5d282dc509fb507f55178e38 78438 mysql-client_5.5.33+dfsg-0+wheezy1_all.deb
 151d9f77d3b0449f3e7d1f66b85270ca1e2d6232 680288 libmysqlclient18_5.5.33+dfsg-0+wheezy1_amd64.deb
 9f3b6e51049637a78232df7cf87cda6704025a94 3165052 libmysqld-pic_5.5.33+dfsg-0+wheezy1_amd64.deb
 ee62aed37b4e2c3b89c5d37c26642097bd79340a 3163560 libmysqld-dev_5.5.33+dfsg-0+wheezy1_amd64.deb
 2140a1ea93416105c1378c14ca5b95bea0ab5a54 949000 libmysqlclient-dev_5.5.33+dfsg-0+wheezy1_amd64.deb
 330ea1f1755915c6fe13ae5bb88fcb0f0c08c4d3 1883082 mysql-client-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 c63f4f0db4d3aa65c7d79bef94e21bb9efb981f8 3777522 mysql-server-core-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 bbc5d36507a1a1fbcd985dfd7c4c5fadc1014fc6 2093948 mysql-server-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 29c1318979a658d8006e4118831347155033ca07 4242448 mysql-testsuite-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 0c6bf4951f9f5a7c641156ff98300e1fad033033 22802004 mysql-source-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
Checksums-Sha256: 
 b127966173b55a861fe3b0ec2093a459dccd37e993bc8739d0a40ece9495360b 3016 mysql-5.5_5.5.33+dfsg-0+wheezy1.dsc
 d7b2653099791a036d4d77111de741d0419ff51e271ca66b83346ab378048a81 21279667 mysql-5.5_5.5.33+dfsg.orig.tar.gz
 a39115bacd6113e364af4088bcd66433f00caa80116674cf1323a20fcb0b1e2f 376373 mysql-5.5_5.5.33+dfsg-0+wheezy1.debian.tar.gz
 fc9b675c9cefad254235063241132d12b8a5283668448e44d8a7fbee71af49a8 80306 mysql-common_5.5.33+dfsg-0+wheezy1_all.deb
 d3f823a64fbff68a262728108a4a71a90d2f2318a7a25f13f0cdf84473d69479 78562 mysql-server_5.5.33+dfsg-0+wheezy1_all.deb
 18c469f6feac36018df5709a42741df12b2e459637809d60dfdde51053553d9d 78438 mysql-client_5.5.33+dfsg-0+wheezy1_all.deb
 864d0a0b11ae434e51115068db8336171fd3cfe44bc0aad82a0eaf1171e78667 680288 libmysqlclient18_5.5.33+dfsg-0+wheezy1_amd64.deb
 cab35633469f10f78738ff47415d9a98f918c25de886824309c43819724ebe21 3165052 libmysqld-pic_5.5.33+dfsg-0+wheezy1_amd64.deb
 04e22ad14d704a9d6c343f5ce550b12e064900de21ed5604752d98e1b3530c48 3163560 libmysqld-dev_5.5.33+dfsg-0+wheezy1_amd64.deb
 6099ccf92318305184a115b625375e3183476964f8e159234fe1252dea8a92cc 949000 libmysqlclient-dev_5.5.33+dfsg-0+wheezy1_amd64.deb
 2e45711393e996241e20a304adbdc53470e238c965ba532bc8c9d411dddea6b6 1883082 mysql-client-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 4332d4d73f8894152cdaf70ea4ea23ec1cdb668812a6ba8f5bf134ab499c3629 3777522 mysql-server-core-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 1b2b49d90eba4c4755ffd53ba351d31bf391d7b42e4065a6bfcb1a9a11a3b4e4 2093948 mysql-server-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 070f860c52c4d01b1324528b2a172e62c18b450f92c9a1d728994583b803c96f 4242448 mysql-testsuite-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 878a96c23943cf14aab64ac6848eaece3c59092e93aa6eeab18d9ef02ab9b92a 22802004 mysql-source-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
Files: 
 eab95b38520876c630631eb4c69eb2a3 3016 database optional mysql-5.5_5.5.33+dfsg-0+wheezy1.dsc
 f35902e01453dd7eedb2a647c69b39ec 21279667 database optional mysql-5.5_5.5.33+dfsg.orig.tar.gz
 f6ba9244ed8e2af68ead5af634801ffb 376373 database optional mysql-5.5_5.5.33+dfsg-0+wheezy1.debian.tar.gz
 53af8dbca74b8fec0385e581c69719a4 80306 database optional mysql-common_5.5.33+dfsg-0+wheezy1_all.deb
 2064c912b8cdf957f7ad4ba6e04a57e4 78562 database optional mysql-server_5.5.33+dfsg-0+wheezy1_all.deb
 dc51cd4f328534a0c2787ad644df50d1 78438 database optional mysql-client_5.5.33+dfsg-0+wheezy1_all.deb
 cfcc519d5a1299a7e4783efe8f09821e 680288 libs optional libmysqlclient18_5.5.33+dfsg-0+wheezy1_amd64.deb
 2d8761155114f2d001b69e2a04117b14 3165052 libdevel optional libmysqld-pic_5.5.33+dfsg-0+wheezy1_amd64.deb
 a04cb4b01c79ffb8fe7d95b6770724d9 3163560 libdevel optional libmysqld-dev_5.5.33+dfsg-0+wheezy1_amd64.deb
 9d4ae9c795962c1f2a88baf08575877f 949000 libdevel optional libmysqlclient-dev_5.5.33+dfsg-0+wheezy1_amd64.deb
 d0240a756e6ef336e0ada22a03f52060 1883082 database optional mysql-client-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 866d099eb8d11d21c4c8bdfb363da0de 3777522 database optional mysql-server-core-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 0f212c74ab1b398167380d6b0b98d042 2093948 database optional mysql-server-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 058709e3d1560be77ebe80fb84b24f32 4242448 database optional mysql-testsuite-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb
 4e2169e58a2cb9dab95707875e5c1a18 22802004 database optional mysql-source-5.5_5.5.33+dfsg-0+wheezy1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJSrN5UAAoJEAVMuPMTQ89EFcwQAIO+UsfXgmP4N9s8EsOoabR1
HEFVnXB3vL7J23GwKGL5uEgCKWX+/hzTZowK7wqdHVmfezvteU12c/mdi+p1r83z
UgpSOux1lHCWP7imT2vOdINKkRncKQnBVOFrxiIIOY3TWyu8OARLofMUftPyA+1+
Uj5oOTx8BKSRvvgec41oJ3XJ/3+DJlR0A+GTGVxCnphNovtN1Hovp4ksaQRVu6Gg
zliAsZc2ytAamx0K2z9wLuEvKQJirKd/4o5Y3cbhDlE5gITo8xJCLPUCrTyiQ4+x
xC2ECID1aBFCwStz8LdX5HC3XVFsJ3JfQnz1c6o7HIkhxjHyyLXkkD3C56eWu0L0
JCzttit1fZXDdtOSNa1G5kkmalyxrmkusn46H5XXMRXoSC/BhYSzCkQBgJf67U0d
lZv3hIeKkPHcl96gZ/4t8Kxe7kRr+1JbUrLYD/kRPdW3+R5BIL0H1bhH0UFpPPgE
2AQlY84pxul/rYv+cBiHR4Akbjpj2ZYzUJVl0qbmYT+gk6xHac/ja/g3y+hl0hOx
30z/4lW552FlX8CcB+kSgAI7LxRGa1remmgnoitzxUy6rV21UnWpHHg9zNsLvOxL
xxO+CPttQfS/m1KJlqEZkeQ7fxLdjK7btNOHy0H9O9t1Qc45E7v7alTOaL/zO0/d
U8Y9qpr9isnQFRujlxnK
=T7cV
-----END PGP SIGNATURE-----




Added tag(s) pending. Request was from James Downing Page <jamespage@moszumanska.debian.org> to control@bugs.debian.org. (Fri, 17 Jan 2014 17:24:04 GMT) Full text and rfc822 format available.

Reply sent to James Page <jamespage@debian.org>:
You have taken responsibility. (Sat, 18 Jan 2014 22:21:21 GMT) Full text and rfc822 format available.

Notification sent to vladz <vladz@devzero.fr>:
Bug acknowledged by developer. (Sat, 18 Jan 2014 22:21:21 GMT) Full text and rfc822 format available.

Message #28 received at 711600-close@bugs.debian.org (full text, mbox):

From: James Page <jamespage@debian.org>
To: 711600-close@bugs.debian.org
Subject: Bug#711600: fixed in mysql-5.5 5.5.35+dfsg-1
Date: Sat, 18 Jan 2014 22:20:03 +0000
Source: mysql-5.5
Source-Version: 5.5.35+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 711600@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Page <jamespage@debian.org> (supplier of updated mysql-5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Jan 2014 21:38:18 +0000
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5
Architecture: source all amd64
Version: 5.5.35+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: James Page <jamespage@debian.org>
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.5 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.5 - MySQL database server binaries and system database setup
 mysql-server-core-5.5 - MySQL database server binaries
 mysql-source-5.5 - MySQL source
 mysql-testsuite-5.5 - MySQL testsuite
Closes: 711600 732306
Changes: 
 mysql-5.5 (5.5.35+dfsg-1) unstable; urgency=low
 .
   [ Clint Byrum ]
   * Drop creation of insecure database permissions (Closes: #732306):
     - d/p/33_scripts__mysql_create_system_tables__no_test.patch,
       d/p/41_scripts__mysql_install_db.sh__no_test.patch,
       d/p/50_mysql-test__db_test.patch: Restored from mysql-5.1
       package, inadvertently dropped in 5.5 transition. This
       removes the global anonymous access to the database which
       is a security concern.
 .
   [ James Page ]
   * New upstream release:
     - d/p/fix-racey-rpltests.patch: Dropped - no longer required.
     - d/p/50_mysql-test__db_test.patch: Add extra permissions to
       mysql-run-tests.pl for test_% accounts, fixing failing tests.
     - d/p/*: Refreshed patches.
     - SECURITY UPDATE:
       http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
       - CVE-2013-5891
       - CVE-2013-5908
       - CVE-2014-0386
       - CVE-2014-0393
       - CVE-2014-0401
       - CVE-2014-0402
       - CVE-2014-0412
       - CVE-2014-0420
       - CVE-2014-0437
   * Sync changes from NMU 5.5.33+dfsg-0+wheezy1:
     - d/NEWS: Add NEWS file to document changes needed to existing databases
       to drop insecure database permissions.
     - SECURITY UPDATE: Insecure creation of the credential file debian.cnf.
       - d/mysql-server-5.5.postinst: Set umask to 066 before creating
         debian.cnf file (Closes: #711600).
       - CVE-2013-2162
     - d/copyright: Update copyright years for upstream files.
   * d/control: Update VCS field for new git location.
   * d/control: Add myself to Uploaders.
   * d/*: Wrap and sort.
   * d/control: Bumped Standards-Version, no changes.
Checksums-Sha1: 
 a88795a262a449b6aa60dad2a09a256df756bf18 2954 mysql-5.5_5.5.35+dfsg-1.dsc
 ede7015b698bef5ede4c59a7a9d428b2a679ac77 21707804 mysql-5.5_5.5.35+dfsg.orig.tar.gz
 4465d07fe84783f5d3ffde67f8575bc151f3d0bc 230288 mysql-5.5_5.5.35+dfsg-1.debian.tar.xz
 af34ac61271d377e7d53abf7b528eb6930be384c 84470 mysql-common_5.5.35+dfsg-1_all.deb
 f3d02067bd71cf26e9756f8ab53b105fb58dfc5e 82720 mysql-server_5.5.35+dfsg-1_all.deb
 cd38aff42365c60139b34d7c379c520e3c2099a2 82596 mysql-client_5.5.35+dfsg-1_all.deb
 5d8398958dd1624be5736c04912e3120b65b5ba2 679070 libmysqlclient18_5.5.35+dfsg-1_amd64.deb
 a62972bc7defb8491c0a1b2d82788fa746c32422 3168336 libmysqld-pic_5.5.35+dfsg-1_amd64.deb
 5156f5a82edeeed26433d0776f4a1b3bc713c55b 3168400 libmysqld-dev_5.5.35+dfsg-1_amd64.deb
 c8ac5fe33f91928a14a6c2ff8a57aff38e5fde37 949164 libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb
 e7cb1c6914aac77f65b39e651eac4a2955f85c3c 1843556 mysql-client-5.5_5.5.35+dfsg-1_amd64.deb
 6ab771bcd0ab4db209fd557e844a0007fd592edc 3784472 mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb
 1c83b933b2a2b9227a8ecbf62a5cb770173c38bc 2031168 mysql-server-5.5_5.5.35+dfsg-1_amd64.deb
 c82ab5ed2f7bf34322dd7cef7518828213f7eb02 4343536 mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb
 3286f2e933418bebb4f21e1d5a319b649475d645 22830820 mysql-source-5.5_5.5.35+dfsg-1_amd64.deb
Checksums-Sha256: 
 613c90c08ee106f883f50e7b36fe7c19f0661c39d8ee9568db9eb11788af050d 2954 mysql-5.5_5.5.35+dfsg-1.dsc
 46f28f6907438f2abf97dfbf1124f1c0568d4c60fc370664755cf51c5dae664a 21707804 mysql-5.5_5.5.35+dfsg.orig.tar.gz
 9c3da35cce0d3cc68af6552a20d381b571db05b29a53463986b2bb89e4fc560c 230288 mysql-5.5_5.5.35+dfsg-1.debian.tar.xz
 36af86baac51e9d55997dfa03982d66858c4481e7a790ce9a12ce6df2f4fc790 84470 mysql-common_5.5.35+dfsg-1_all.deb
 b88528aaf1cb14765f311e40160f27a57acd95f7436d3d50b1aef382c97c2ad0 82720 mysql-server_5.5.35+dfsg-1_all.deb
 5909264f4315695e34610ff54c02258ca02e3e5876bfe4d4004906e30db4fb22 82596 mysql-client_5.5.35+dfsg-1_all.deb
 caae3218d8be3efa92ce520a92a7b2ec85b6184e16f45162e72023c0646c6f28 679070 libmysqlclient18_5.5.35+dfsg-1_amd64.deb
 68b9e4ac56ec5b2548e16f2dd6fbabf18d0cf9a128cbe7ad11797a31f6ce1cb3 3168336 libmysqld-pic_5.5.35+dfsg-1_amd64.deb
 cee07ea9fea27692bda9dd86ab9b456d4f36303e79ab2e6ac48bda01b696d2c2 3168400 libmysqld-dev_5.5.35+dfsg-1_amd64.deb
 4b6aa4dba8d12fde4979dee122833d1c360f3b7406683837977dfaa4eb44333e 949164 libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb
 6fd7f374ab755a9456cc58a14f2f0a229a12ef1818e0cd22d425d2bd3ce9b291 1843556 mysql-client-5.5_5.5.35+dfsg-1_amd64.deb
 18edcd67733279928491fb0e69be52cc7bcf73a89d28c04046f855786ca24312 3784472 mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb
 182464883dcfc4ffff3266e21f348401ca7c41a436914ca22b83459d45f280a4 2031168 mysql-server-5.5_5.5.35+dfsg-1_amd64.deb
 6573c412542f9ee96a6a0cc566523f395a2aeda0f7dd0cfb8d020497dd3e287e 4343536 mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb
 bbd337244f0a55d1707654357acbcbdbf29ada03211e8737df7c0b45025d9da7 22830820 mysql-source-5.5_5.5.35+dfsg-1_amd64.deb
Files: 
 1b001d677be74465db2be9fb1b3fc533 2954 database optional mysql-5.5_5.5.35+dfsg-1.dsc
 56f833052b579b7d4a2b16326cda6990 21707804 database optional mysql-5.5_5.5.35+dfsg.orig.tar.gz
 684ab6c22754f363c5915d26777d5376 230288 database optional mysql-5.5_5.5.35+dfsg-1.debian.tar.xz
 fa2e7c65f352c198ac53f059a49f2fc1 84470 database optional mysql-common_5.5.35+dfsg-1_all.deb
 5afdcbb3181c2d5d27333b19ed65f705 82720 database optional mysql-server_5.5.35+dfsg-1_all.deb
 0f6cadb759d6b60fe2fe06148275cc36 82596 database optional mysql-client_5.5.35+dfsg-1_all.deb
 56511175968616f253db6fda495fc6f1 679070 libs optional libmysqlclient18_5.5.35+dfsg-1_amd64.deb
 0cfd6ccac4cb1de752e43464ddec525f 3168336 libdevel optional libmysqld-pic_5.5.35+dfsg-1_amd64.deb
 348c7caa679c7a2ae40268057ba80d25 3168400 libdevel optional libmysqld-dev_5.5.35+dfsg-1_amd64.deb
 2d977839265fbce12634c9e3a5d4341a 949164 libdevel optional libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb
 459879450295a67353072914264fd430 1843556 database optional mysql-client-5.5_5.5.35+dfsg-1_amd64.deb
 8d0494c03876fffe631937b7787cc597 3784472 database optional mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb
 17bddb8053fb75cbcee90e1962bdd2a8 2031168 database optional mysql-server-5.5_5.5.35+dfsg-1_amd64.deb
 45787d76cbc0be19b4cbbc7ecd50c623 4343536 database optional mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb
 c49924146473bfee13f25d1ee577b0c2 22830820 database optional mysql-source-5.5_5.5.35+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJS2vyWAAoJEL/srsug59jD/k4P/0MGyjheKz/h9OURmWgAe3Ow
+Z3Fi4iAjm6JwXfUo2vvdd3A/yx4J1nZl+skjwaEBLzqgteNHF7uCPRyLB+gUorg
oVJ/IxpGr2onEgH9B6cfhjfl3uKrAZlULgkOVPbHLfEQ8ZzQp5lrjJ/hAbDK6Scf
Rm6mLEhbpl1VVHH45T792l/oo/X9YOinTdRrPPWFzfsjMEB+fskTcpNFMiSl6VjB
BUXZa2gZq9aUWDJiPuiaVXnsFDX0Ow9rJrXHe5epPZPzC9HXFqnvf1y/ZQMwiWcs
MADnyULDFb6Uyj+iDTnkA3xoeRTYfMm6Je8m66Kc5kjtqXbJ76rASY7yRCDQJBL/
UbRFdUzzCfuO37Qqts7CcPgiCgC3baH1z0fPf2Otukq15Z5sQNayB3/5hK3iPUeR
Ba0hE6HE2uv1NLK/9F9p/8345a8M8sXMi31Ikq7cooNXJK7vfR5E+D+2lRkv8jVl
FjbWJoRJbzy4aylkTE7ODOLr0ucqi8+HR5RQoZwfho84gNK8uF7XiE2599g3L1iS
1jrvzXMXtx/qMp9AXMDJ1MyXFsB76PdxS19ERnsdiBYDoUtEI5NMsd0TxrXAAmLN
Q6VlgooHXzi5pJATim9xwRVL7RxgKGJFAAReQVUsMVhlVi8F6q+5oLBug09FHR8b
cx/TXRz1e7SOTR9/E4L2
=ldt+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 15 Mar 2014 07:25:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 13:40:31 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.