MySQL Unauthenticated Remote Access Vulnerability

Version 3.22.32 has been made available by the vendor at:
This version will fix the vulnerabilies outlined in this entry.
A fixed version of the 3.23.x tree (Alpha tree) will be available shortly.

FreeBSD has made fixed FreeBSD ports of mySQL available at:

An unsupported patch was provided with the vulnerability posting:

Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a
length check, _before_ starting the compare.
This should be as easy as inserting the following just above the
while (*scrambled) loop:

if (strlen(scrambled)!=strlen(to)) {
return 1;

Additional security can be achieved by only allowing essential hosts the ability to connect to the database server.


Privacy Statement
Copyright 2010, SecurityFocus