Security vulnerability in MySQL/MariaDB
A vulnerability has been identified in Mysql and MariaDB.
Basically under specific conditions it is possible for an attacker to provide any password and it will be accepted.
The source file affected is password.c
you can find an more detailed explaination and a fix here
http://seclists.org/oss-sec/2012/q2/493
All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
If you know a username (root in most cases). A situation arises where if you connect approx 250 to 300 times, that mysql will allow you connect without any password.
Comments
Post a Comment