| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4243F37D.1010802@atlantis.bg>
Date: Fri, 25 Mar 2005 13:18:21 +0200
From: Ventsislav Genchev <vigour@...antis.bg>
To: fedora-legacy-announce@...hat.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [FLSA-2005:2129] Updated mysql packages fix security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I get an incorrect md5sum for this package:
106480fe6f5d56513a4fd77592d5a8e88a9c4825
redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
didn't check the others...
$ md5sum mysql-3.23.58-1.90.5.legacy.src.rpm
a75573a4ce3e865f3b682ff8f65f41a7 mysql-3.23.58-1.90.5.legacy.src.rpm
Is this a mistake or the package was changed?
fedora-legacy-announce@...hat.com wrote:
> ---------------------------------------------------------------------
> Fedora Legacy Update Advisory
>
> Synopsis: Updated mysql packages fix security issues
> Advisory ID: FLSA:2129
> Issue date: 2005-03-24
> Product: Red Hat Linux, Fedora Core
> Keywords: Bugfix
> Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2129
> CVE Names: CAN-2004-0381 CAN-2004-0388 CAN-2004-0457
> CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
> CAN-2004-0957 CAN-2005-0004
> ---------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------
> 1. Topic:
>
> Updated mysql packages that fix various security issues are now
> available.
>
> MySQL is a multi-user, multi-threaded SQL database server.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
> Fedora Core 1 - i386
>
> 3. Problem description:
>
> This update fixes a number of potential security problems associated
> with careless handling of temporary files. The Common Vulnerabilities
> and Exposures project (cve.mitre.org) has assigned the names
> CAN-2004-0381, CAN-2004-0388, CAN-2004-0457, and CAN-2005-0004 to these
> issues.
>
> Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked
> the CREATE/INSERT rights of the old table instead of the new one. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2004-0835 to this issue.
>
> Lukasz Wojtow discovered a buffer overrun in the mysql_real_connect
> function. In order to exploit this issue an attacker would need to force
> the use of a malicious DNS server (CAN-2004-0836).
>
> Dean Ellis discovered that multiple threads ALTERing the same (or
> different) MERGE tables to change the UNION could cause the server to
> crash or stall (CAN-2004-0837).
>
> Sergei Golubchik discovered that if a user is granted privileges to a
> database with a name containing an underscore ("_"), the user also gains
> the ability to grant privileges to other databases with similar names
> (CAN-2004-0957).
>
> All users of mysql should upgrade to these updated packages, which
> resolve these issues.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade. Only those
> RPMs which are currently installed will be updated. Those RPMs which
> are not installed but included in the list will not be updated. Note
> that you can also use wildcards (*.rpm) if your current directory *only*
> contains the desired RPMs.
>
> Please note that this update is also available via yum and apt. Many
> people find this an easier way to apply updates. To use yum issue:
>
> yum update
>
> or to use apt:
>
> apt-get update; apt-get upgrade
>
> This will start an interactive process that will result in the
> appropriate RPMs being upgraded on your system. This assumes that you
> have yum or apt-get configured for obtaining Fedora Legacy content.
> Please visit http://www.fedoralegacy.org/docs for directions on how to
> configure yum and apt-get.
>
> 5. Bug IDs fixed:
>
> http://bugzilla.fedora.us - bug #2129 - MySQL Remote Buffer Overflow
>
> 6. RPMs required:
>
> Red Hat Linux 7.3:
>
> SRPM:
> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
>
>
> i386:
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
>
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
>
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
>
>
> Red Hat Linux 9:
>
> SRPM:
> http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
>
>
> i386:
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
>
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
>
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
>
>
> Fedora Core 1:
>
> SRPM:
> http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
>
>
> i386:
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
>
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
>
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
>
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
>
>
> 7. Verification:
>
> SHA1 sum Package Name
> ---------------------------------------------------------------------
>
> 04ef0f04b389f7f9fc5bb46f35f81e8503a463ba
> redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
> 879f133178898835609ec305988b473e7221f825
> redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
> 9258ee1dd63f878c376a4e8a4f28e6dc8be11600
> redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
> f8dfbc8e8992bb56c1f8ba9f6917ab0fb11d0e80
> redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
> 246af76de738268375fee9c066efdabdc5a01f73
> redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
> 22b584c92e81cd29086fa2335910ba5b67d22711
> redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
> 4fe21cae92371b5a3ed79858ec5432807bf2cee4
> redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
> 106480fe6f5d56513a4fd77592d5a8e88a9c4825
> redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
> 509f1caeef89bb626334be27e13c4269cc00ca75
> fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
> 7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec
> fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
> 08c25d36193f30dceb4d3f81fbdd69f713fd94b7
> fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
> 8fa58175f2d1baf7d45e8c19939928d3faa113ba
> fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
> 291ec6bb776126c3726dc7dfc067afad520300af
> fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
>
> These packages are GPG signed by Fedora Legacy for security. Our key is
> available from http://www.fedoralegacy.org/about/security.php
>
> You can verify each package with the following command:
>
> rpm --checksig -v <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the sha1sum with the following command:
>
> sha1sum <filename>
>
> 8. References:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0457
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
>
> 9. Contact:
>
> The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
> project details at http://www.fedoralegacy.org
>
> ---------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-legacy-announce mailing list
> Fedora-legacy-announce@...hat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-announce
- --
Ventsislav Genchev
Atlantis BG, Ltd.
E-mail: vigour@...antis.bg
phone: +35928757001
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCQ/N8wxiN6NaquRwRAlAqAKCS6SYwI5+MdgAJN9nsKR/sXEbd+QCfbzcI
lKDXm83PRKcrNpV4mvo+Oj0=
=5CQE
-----END PGP SIGNATURE-----
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (3174 bytes)
Powered by blists - more mailing lists