[rt-users] Fetchmail and mysql security problems

Lorens Kockum rt-id-45 at lists.lorens.org
Sun Dec 15 14:52:17 EST 2002


Slightly off-topic, but I imagine a lot of RT admins get their
mail with fetchmail, a lot from external sources, and some RT
admins might have untrusted mysql users . . . so, as seen on
Vulnwatch (.org) Friday and Saturday, discovered by e-matters
(http://security.e-matters.de):

  bug in fetchmail, permitting execution of arbitrary code as
  user running fetchmail, exploitable with just a malicious
  mail, corrected in fetchmail 6.2.0 released Dec 13 2002

  bugs in MySQL, permitting root acces to databases, execution
  of arbitrary code as mysqld, malicious server executing code
  on clients, denial of service . . . corrected in MySQL 3.23.54
  released 12 December 2002.

No exploits released.

Time for an upgrade, people . . .

I'm not certain, but I don't think Debian and RedHat packages have
been updated yet. Maybe by the time you read this!

-- 
#include <std_disclaim.h>                          Lorens Kockum



More information about the rt-users mailing list