2017-12-13 22:26 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0004129Kali Linux[All Projects] Kali Package Bugpublic2017-09-08 10:20
Reportermuts 
Assigned Torhertzog 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionno change required 
Product Version2017.1 
Target Version2017.2Fixed in Version 
Summary0004129: Mysql sever contains a root mysql user authorized from aphrodite.kali.org
DescriptionThe Mysql sever in the Kali ISO (and consequently in HD installs) contains a root mysql user authorized from aphrodite.kali.org.
Additional Informationaphrodite.kali.org is the machine where we build our i386/amd64 ISOs.

It might be that the mysql package is setting this itself on installation... there is a debconf prompt for the root password and its default value is an empty string. While it probably should be set to root@localhost, it might to be taking the build server hostname instead.

The mysql server is not enabled by default. When enabled, listens on the loopback device unless the mysql configuration file is explicitly set to listen on the external interface.
Attached Files

-Relationships
+Relationships

-Notes

~0006963

muts (administrator)

Last edited: 2017-08-02 19:26

View 3 revisions

Unable to replicate on a fully updated kali-rolling instance, or an azure instance.

MariaDB [(none)]> select user,host from mysql.user;
+------+-----------+
| user | host |
+------+-----------+
| root | localhost |
+------+-----------+
1 row in set (0.00 sec)

MariaDB [(none)]>


What additional info can you provide? Kali version, architecture, etc, would help a lot.

~0006964

muts (administrator)

Unable to replicate on Kali 2017.1.

~0006965

radu.stanescu (reporter)

I was able to reproduce it on deployment from vm or iso downloaded before June 2017 of Kali 2017.1 but up-to-date.
On the latest ISO / VM downloaded from the website the issue is not anymore..

~0006974

rhertzog (administrator)

Is there any need to investigate this further since our latest release seems to be no longer be affected by the issue?

~0007267

rhertzog (administrator)

I don't think that any fix is needed. The problem does not affect fresh install. It only affected an old version of mysql-server and we use mariadb currently.

The impact is very limited and only affect mysql instances listening on a public IP address (which is not a good idea from the start). So I'm closing this ticket.
+Notes

-Issue History
Date Modified Username Field Change
2017-08-02 18:31 muts New Issue
2017-08-02 18:31 muts Status new => assigned
2017-08-02 18:31 muts Assigned To => rhertzog
2017-08-02 18:57 muts Additional Information Updated View Revisions
2017-08-02 19:26 muts Note Added: 0006963
2017-08-02 19:26 muts Note Edited: 0006963 View Revisions
2017-08-02 19:26 muts Note Edited: 0006963 View Revisions
2017-08-02 19:34 muts Note Added: 0006964
2017-08-02 19:49 muts Additional Information Updated View Revisions
2017-08-02 22:23 radu.stanescu Note Added: 0006965
2017-08-07 15:35 rhertzog Note Added: 0006974
2017-09-08 10:20 rhertzog Status assigned => closed
2017-09-08 10:20 rhertzog Resolution open => no change required
2017-09-08 10:20 rhertzog Note Added: 0007267
+Issue History