lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4243F884.7090107@atlantis.bg>
Date: Fri, 25 Mar 2005 13:39:48 +0200
From: Ventsislav Genchev <vigour@...antis.bg>
To: fedora-legacy-announce@...hat.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [FLSA-2005:2129] Updated mysql packages fix security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ops... my mistake... sry guys... everythink is ok... i just used md5sum
instead of sha1sum ... sry again..

fedora-legacy-announce@...hat.com wrote:
> ---------------------------------------------------------------------
>                Fedora Legacy Update Advisory
> 
> Synopsis:          Updated mysql packages fix security issues
> Advisory ID:       FLSA:2129
> Issue date:        2005-03-24
> Product:           Red Hat Linux, Fedora Core
> Keywords:          Bugfix
> Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=2129
> CVE Names:         CAN-2004-0381 CAN-2004-0388 CAN-2004-0457
>                    CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
>                    CAN-2004-0957 CAN-2005-0004
> ---------------------------------------------------------------------
> 
> 
> ---------------------------------------------------------------------
> 1. Topic:
> 
> Updated mysql packages that fix various security issues are now
> available.
> 
> MySQL is a multi-user, multi-threaded SQL database server.
> 
> 2. Relevant releases/architectures:
> 
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
> Fedora Core 1 - i386
> 
> 3. Problem description:
> 
> This update fixes a number of potential security problems associated
> with careless handling of temporary files. The Common Vulnerabilities
> and Exposures project (cve.mitre.org) has assigned the names
> CAN-2004-0381, CAN-2004-0388, CAN-2004-0457, and CAN-2005-0004 to these
> issues.
> 
> Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked
> the CREATE/INSERT rights of the old table instead of the new one. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2004-0835 to this issue.
> 
> Lukasz Wojtow discovered a buffer overrun in the mysql_real_connect
> function. In order to exploit this issue an attacker would need to force
> the use of a malicious DNS server (CAN-2004-0836).
> 
> Dean Ellis discovered that multiple threads ALTERing the same (or
> different) MERGE tables to change the UNION could cause the server to
> crash or stall (CAN-2004-0837).
> 
> Sergei Golubchik discovered that if a user is granted privileges to a
> database with a name containing an underscore ("_"), the user also gains
> the ability to grant privileges to other databases with similar names
> (CAN-2004-0957).
> 
> All users of mysql should upgrade to these updated packages, which
> resolve these issues.
> 
> 4. Solution:
> 
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
> 
> To update all RPMs for your particular architecture, run:
> 
> rpm -Fvh [filenames]
> 
> where [filenames] is a list of the RPMs you wish to upgrade.  Only those
> RPMs which are currently installed will be updated.  Those RPMs which
> are not installed but included in the list will not be updated.  Note
> that you can also use wildcards (*.rpm) if your current directory *only*
> contains the desired RPMs.
> 
> Please note that this update is also available via yum and apt.  Many
> people find this an easier way to apply updates.  To use yum issue:
> 
> yum update
> 
> or to use apt:
> 
> apt-get update; apt-get upgrade
> 
> This will start an interactive process that will result in the
> appropriate RPMs being upgraded on your system.  This assumes that you
> have yum or apt-get configured for obtaining Fedora Legacy content.
> Please visit http://www.fedoralegacy.org/docs for directions on how to
> configure yum and apt-get.
> 
> 5. Bug IDs fixed:
> 
> http://bugzilla.fedora.us - bug #2129 - MySQL Remote Buffer Overflow
> 
> 6. RPMs required:
> 
> Red Hat Linux 7.3:
> 
> SRPM:
> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
> 
> 
> i386:
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
> 
> 
> Red Hat Linux 9:
> 
> SRPM:
> http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
> 
> 
> i386:
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
> 
> 
> Fedora Core 1:
> 
> SRPM:
> http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
> 
> 
> i386:
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
> 
> 
> 7. Verification:
> 
> SHA1 sum                                 Package Name
> ---------------------------------------------------------------------
> 
> 04ef0f04b389f7f9fc5bb46f35f81e8503a463ba
> redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
> 879f133178898835609ec305988b473e7221f825
> redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
> 9258ee1dd63f878c376a4e8a4f28e6dc8be11600
> redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
> f8dfbc8e8992bb56c1f8ba9f6917ab0fb11d0e80
> redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
> 246af76de738268375fee9c066efdabdc5a01f73
> redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
> 22b584c92e81cd29086fa2335910ba5b67d22711
> redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
> 4fe21cae92371b5a3ed79858ec5432807bf2cee4
> redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
> 106480fe6f5d56513a4fd77592d5a8e88a9c4825
> redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
> 509f1caeef89bb626334be27e13c4269cc00ca75
> fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
> 7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec
> fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
> 08c25d36193f30dceb4d3f81fbdd69f713fd94b7
> fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
> 8fa58175f2d1baf7d45e8c19939928d3faa113ba
> fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
> 291ec6bb776126c3726dc7dfc067afad520300af
> fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
> 
> These packages are GPG signed by Fedora Legacy for security.  Our key is
> available from http://www.fedoralegacy.org/about/security.php
> 
> You can verify each package with the following command:
> 
>     rpm --checksig -v <filename>
> 
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the sha1sum with the following command:
> 
>     sha1sum <filename>
> 
> 8. References:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0457
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
> 
> 9. Contact:
> 
> The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
> project details at http://www.fedoralegacy.org
> 
> ---------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> --
> Fedora-legacy-announce mailing list
> Fedora-legacy-announce@...hat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-announce

- --
Ventsislav Genchev
Atlantis BG, Ltd.
E-mail: vigour@...antis.bg
phone: +35928757001


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFCQ/iDwxiN6NaquRwRAteoAKDAlPjrO5S414H09DXt+fI29XIQyQCgpAFq
3EfN2EYu9TQgc3dS8aiU3PM=
=HEwD
-----END PGP SIGNATURE-----

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (3174 bytes)

Powered by blists - more mailing lists