[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060427144559.GB5785@piware.de>
Date: Thu, 27 Apr 2006 16:45:59 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-274-1] MySQL vulnerability
===========================================================
Ubuntu Security Notice USN-274-1 April 27, 2006
mysql-dfsg vulnerability
CVE-2006-0903
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
mysql-server
The problem can be corrected by upgrading the affected package to
version 4.0.20-2ubuntu1.7 (for Ubuntu 4.10), 4.0.23-3ubuntu2.2 (for
Ubuntu 5.04), or 4.0.24-10ubuntu2.1 (for Ubuntu 5.10). In general, a
standard system upgrade is sufficient to effect the necessary changes.
Details follow:
A logging bypass was discovered in the MySQL query parser. A local
attacker could exploit this by inserting NUL characters into query
strings (even into comments), which would cause the query to be logged
incompletely.
This only affects you if you enabled the 'log' parameter in the MySQL
configuration.
Updated packages for Ubuntu 4.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.7.diff.gz
Size/MD5: 176824 f214253e4c2a6ffcfd949bc19410ee6b
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.7.dsc
Size/MD5: 894 19ef051a7994a4faea9b248c12dc44b5
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20.orig.tar.gz
Size/MD5: 9760117 f092867f6df2f50b34b8065312b9fb2b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.20-2ubuntu1.7_all.deb
Size/MD5: 25144 b28d3fdc01b8d8194d0388d8d48a257d
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.7_amd64.deb
Size/MD5: 2811182 c4111aec963f9a495b261b299e449c2e
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.7_amd64.deb
Size/MD5: 305220 8f6653a1152af3624e68a759a2893827
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.7_amd64.deb
Size/MD5: 423266 f5702114938059a53d531535caaad7f5
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.7_amd64.deb
Size/MD5: 3578122 92a1b9e4c8d874dffc09ebf5fb13e72b
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.7_i386.deb
Size/MD5: 2774718 6b2c35f99be213bfc34133995e611f46
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.7_i386.deb
Size/MD5: 288162 61879cbc26a9b7dbb27c6c842546458d
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.7_i386.deb
Size/MD5: 397264 612dc9f1b1149a2af49b0a2aa157e009
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.7_i386.deb
Size/MD5: 3487310 47ecf2e29f3dbe465dfd990ba80c36eb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.7_powerpc.deb
Size/MD5: 3110894 81feb50003ee69b7e93b809b8c0bfc39
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.7_powerpc.deb
Size/MD5: 308852 a8fe34e726d5302deb751838ef8ccb06
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.7_powerpc.deb
Size/MD5: 452684 52bfacf4b50418cc8d30fdde7679eab4
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.7_powerpc.deb
Size/MD5: 3770820 3c992663d03b4b9f548207e7dddb2749
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.2.diff.gz
Size/MD5: 343725 a2b298ae7189d19d610096bd509ce596
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.2.dsc
Size/MD5: 891 b92cb6c84451811ccf7bd7c2a56c50b4
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23.orig.tar.gz
Size/MD5: 9814467 5eec8f66ed48c6ff92e73161651a492b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.23-3ubuntu2.2_all.deb
Size/MD5: 31990 2d6d3941ca77a34d4fe04919aac8cbc7
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.2_amd64.deb
Size/MD5: 2866184 3b5f0aa334fc9e1fa7056cf210f94fd2
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.2_amd64.deb
Size/MD5: 306820 e2917d28d803a34a4c72da0fbba151d3
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.2_amd64.deb
Size/MD5: 431414 cc314f27a6afe67c821a7a51da383545
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.2_amd64.deb
Size/MD5: 3628640 b296921ef40461d59e9bbba7b2e52357
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.2_i386.deb
Size/MD5: 2825934 44b9304d6fa1fd3e3c2e3e9686024c10
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.2_i386.deb
Size/MD5: 289510 da17fd8185519af7a3df1a861ce33d07
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.2_i386.deb
Size/MD5: 404598 158bbb7ad75e303bf5c13adb383b599a
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.2_i386.deb
Size/MD5: 3537624 9482f91850da2bd3fdde233aa9e64052
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.2_powerpc.deb
Size/MD5: 3179624 7466544fb8fc5a7209340039b65c63da
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.2_powerpc.deb
Size/MD5: 312406 8fb8562ffa55040773a02eeb64ba8272
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.2_powerpc.deb
Size/MD5: 462192 265ff5c43fc9afefe1af28c3a4386e5e
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.2_powerpc.deb
Size/MD5: 3839282 617a98d3bc28182b3ff37e0e3f130795
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.1.diff.gz
Size/MD5: 97810 0dbdcd235f3f6a2f424de7113b74655d
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.1.dsc
Size/MD5: 964 f84c5803fc7d13589346e910387f30c6
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
Size/MD5: 9923794 aed8f335795a359f32492159e3edfaa3
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.24-10ubuntu2.1_all.deb
Size/MD5: 34664 544a522c6d3206981da17184e978e617
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.1_amd64.deb
Size/MD5: 3231158 c1d669e10ac67d1e9b0f121833683779
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.1_amd64.deb
Size/MD5: 307700 4bc18b69d4e43b694497b4076d79cd75
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.1_amd64.deb
Size/MD5: 439484 a29c262a4aa8cdd57f8dfe8009cb8b7d
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.1_amd64.deb
Size/MD5: 3922016 e92ecc0bd9a6fea65f42c7bead40b6db
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.1_i386.deb
Size/MD5: 2868302 9dabada4f3d7a4a85df44299b94eae88
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.1_i386.deb
Size/MD5: 291550 efbfa0fc65a09ead055a27414e1be54a
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.1_i386.deb
Size/MD5: 413452 596701868b19ae58687798f73327db4d
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.1_i386.deb
Size/MD5: 3555444 32eed9d4f3f58a083c505555e249a0ac
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.1_powerpc.deb
Size/MD5: 3089942 a58bb68ffed82acc2161d2bf49542da8
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.1_powerpc.deb
Size/MD5: 305526 f033567ad51627ff2137a3118deb668a
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.1_powerpc.deb
Size/MD5: 453378 ab9be3cf1197c77c7992942c4c1cc9c0
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.1_powerpc.deb
Size/MD5: 3664012 e9a402c36b385dcb83d2248ff4487a2c
Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists