[JCSN-001] MySQL Charm Vulnerability

Wed Aug 22 20:48:50 UTC 2012

A security issue affects these releases of Ubuntu and its derivatives:

* Ubuntu 12.04 LTS
* Ubuntu 11.10

Summary
=======

The mysql charm uses insufficient permissions to protect the mysql
admin password.

Software Description
====================

* mysql charm: a Juju Charm to manage a mysql database service

Details
=======

Kurt Hewig discovered that the mysql charm left the admin password file
world-readable.  Any user on that instance could gain mysql admin
rights for that database server.

Update instructions
===================

The problem is corrected in the charm store for both precise and
oneiric.  It is fixed in subsequent deploys from the charm store and
can be fixed on existing services by running::

  juju upgrade-charm <service-name>

* Ubuntu 12.04 LTS

  - mysql charm, cs:precise/mysql-6 (charm revision 148)

* Ubuntu 11.10

  - mysql charm, cs:oneiric/mysql-1 (charm revision 119)

References
==========

* http://jujucharms.com/security-notices/jcsn/jcsn-001

Branch Information
==================

* https://code.launchpad.net/~charmers/charms/precise/mysql/trunk
* https://code.launchpad.net/~charmers/charms/oneiric/mysql/trunk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJQNUTzAAoJEHbUY1+yo011BMcIAKaSb9XD4DSNlebjM7SvdVY9
d9nKCf6wNTs5Gk6pqzohn4rdh+vtl05gJtn97gTaTmDDYYrgUJWoSWQceMq5a9/O
3uOVfGFtkqwtWmQpTzg8CefxfrCXM2TVC8f76lFk7ISFCBZiH6ZMzk2hMUc4kkiJ
/XylcrMNqY0K6sesFBJ/qYH/fy0W44RX+StHVigk3uBqJ2Cn0qHbGalql0tj2rJe
MVUWzapjSGbSP8irE1sz/9KsXYrZUmaHBZcjVtiiaph1/lePEbR/ccnTXmg1864e
RKpe/4X+QKecjYxj3HFkN3OXZvdm07C/SgWL9eKBNMl8CkuFC8NiLIoAVUHmYqE=
=Qyd4
-----END PGP SIGNATURE-----

-- 
Mark Mims, Ph.D.
Ubuntu Server Team
Canonical Ltd.
mark.mims at canonical.com
+1(512)981-6467