lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060427144559.GB5785@piware.de>
Date: Thu, 27 Apr 2006 16:45:59 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-274-1] MySQL vulnerability

===========================================================
Ubuntu Security Notice USN-274-1	     April 27, 2006
mysql-dfsg vulnerability
CVE-2006-0903
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

mysql-server

The problem can be corrected by upgrading the affected package to
version 4.0.20-2ubuntu1.7 (for Ubuntu 4.10), 4.0.23-3ubuntu2.2 (for
Ubuntu 5.04), or 4.0.24-10ubuntu2.1 (for Ubuntu 5.10). In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

A logging bypass was discovered in the MySQL query parser. A local
attacker could exploit this by inserting NUL characters into query
strings (even into comments), which would cause the query to be logged
incompletely.

This only affects you if you enabled the 'log' parameter in the MySQL
configuration.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.7.diff.gz
      Size/MD5:   176824 f214253e4c2a6ffcfd949bc19410ee6b
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.7.dsc
      Size/MD5:      894 19ef051a7994a4faea9b248c12dc44b5
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20.orig.tar.gz
      Size/MD5:  9760117 f092867f6df2f50b34b8065312b9fb2b

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.20-2ubuntu1.7_all.deb
      Size/MD5:    25144 b28d3fdc01b8d8194d0388d8d48a257d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.7_amd64.deb
      Size/MD5:  2811182 c4111aec963f9a495b261b299e449c2e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.7_amd64.deb
      Size/MD5:   305220 8f6653a1152af3624e68a759a2893827
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.7_amd64.deb
      Size/MD5:   423266 f5702114938059a53d531535caaad7f5
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.7_amd64.deb
      Size/MD5:  3578122 92a1b9e4c8d874dffc09ebf5fb13e72b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.7_i386.deb
      Size/MD5:  2774718 6b2c35f99be213bfc34133995e611f46
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.7_i386.deb
      Size/MD5:   288162 61879cbc26a9b7dbb27c6c842546458d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.7_i386.deb
      Size/MD5:   397264 612dc9f1b1149a2af49b0a2aa157e009
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.7_i386.deb
      Size/MD5:  3487310 47ecf2e29f3dbe465dfd990ba80c36eb

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.7_powerpc.deb
      Size/MD5:  3110894 81feb50003ee69b7e93b809b8c0bfc39
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.7_powerpc.deb
      Size/MD5:   308852 a8fe34e726d5302deb751838ef8ccb06
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.7_powerpc.deb
      Size/MD5:   452684 52bfacf4b50418cc8d30fdde7679eab4
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.7_powerpc.deb
      Size/MD5:  3770820 3c992663d03b4b9f548207e7dddb2749

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.2.diff.gz
      Size/MD5:   343725 a2b298ae7189d19d610096bd509ce596
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.2.dsc
      Size/MD5:      891 b92cb6c84451811ccf7bd7c2a56c50b4
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23.orig.tar.gz
      Size/MD5:  9814467 5eec8f66ed48c6ff92e73161651a492b

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.23-3ubuntu2.2_all.deb
      Size/MD5:    31990 2d6d3941ca77a34d4fe04919aac8cbc7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.2_amd64.deb
      Size/MD5:  2866184 3b5f0aa334fc9e1fa7056cf210f94fd2
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.2_amd64.deb
      Size/MD5:   306820 e2917d28d803a34a4c72da0fbba151d3
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.2_amd64.deb
      Size/MD5:   431414 cc314f27a6afe67c821a7a51da383545
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.2_amd64.deb
      Size/MD5:  3628640 b296921ef40461d59e9bbba7b2e52357

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.2_i386.deb
      Size/MD5:  2825934 44b9304d6fa1fd3e3c2e3e9686024c10
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.2_i386.deb
      Size/MD5:   289510 da17fd8185519af7a3df1a861ce33d07
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.2_i386.deb
      Size/MD5:   404598 158bbb7ad75e303bf5c13adb383b599a
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.2_i386.deb
      Size/MD5:  3537624 9482f91850da2bd3fdde233aa9e64052

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.2_powerpc.deb
      Size/MD5:  3179624 7466544fb8fc5a7209340039b65c63da
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.2_powerpc.deb
      Size/MD5:   312406 8fb8562ffa55040773a02eeb64ba8272
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.2_powerpc.deb
      Size/MD5:   462192 265ff5c43fc9afefe1af28c3a4386e5e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.2_powerpc.deb
      Size/MD5:  3839282 617a98d3bc28182b3ff37e0e3f130795

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.1.diff.gz
      Size/MD5:    97810 0dbdcd235f3f6a2f424de7113b74655d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.1.dsc
      Size/MD5:      964 f84c5803fc7d13589346e910387f30c6
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
      Size/MD5:  9923794 aed8f335795a359f32492159e3edfaa3

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.24-10ubuntu2.1_all.deb
      Size/MD5:    34664 544a522c6d3206981da17184e978e617

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.1_amd64.deb
      Size/MD5:  3231158 c1d669e10ac67d1e9b0f121833683779
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.1_amd64.deb
      Size/MD5:   307700 4bc18b69d4e43b694497b4076d79cd75
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.1_amd64.deb
      Size/MD5:   439484 a29c262a4aa8cdd57f8dfe8009cb8b7d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.1_amd64.deb
      Size/MD5:  3922016 e92ecc0bd9a6fea65f42c7bead40b6db

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.1_i386.deb
      Size/MD5:  2868302 9dabada4f3d7a4a85df44299b94eae88
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.1_i386.deb
      Size/MD5:   291550 efbfa0fc65a09ead055a27414e1be54a
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.1_i386.deb
      Size/MD5:   413452 596701868b19ae58687798f73327db4d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.1_i386.deb
      Size/MD5:  3555444 32eed9d4f3f58a083c505555e249a0ac

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.1_powerpc.deb
      Size/MD5:  3089942 a58bb68ffed82acc2161d2bf49542da8
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.1_powerpc.deb
      Size/MD5:   305526 f033567ad51627ff2137a3118deb668a
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.1_powerpc.deb
      Size/MD5:   453378 ab9be3cf1197c77c7992942c4c1cc9c0
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.1_powerpc.deb
      Size/MD5:  3664012 e9a402c36b385dcb83d2248ff4487a2c

Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ