lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1FiCt8-000okjC__8943.58548471264$1148326700$gmane$org@finlandia.Infodrom.North.DE>
Date: Mon, 22 May 2006 18:04:10 +0200 (CEST)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1073-1] New MySQL 4.1 packages fix several vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1073-1                    security@...ian.org
http://www.debian.org/security/                             Martin Schulze
May 22nd, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mysql-dfsg-4.1
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518
CERT advisory  : VU#602457
BugTraq IDs    : 16850 17780
Debian Bugs    : 366043 366048 366162

Several vulnerabilities have been discovered in MySQL, a popular SQL
database.  The Common Vulnerabilities and Exposures Project identifies
the following problems:

CVE-2006-0903

    Improper handling of SQL queries containing the NULL character
    allow local users to bypass logging mechanisms.

CVE-2006-1516

    Usernames without a trailing null byte allow remote attackers to
    read portions of memory.

CVE-2006-1517

    A request with an incorrect packet length allows remote attackers
    to obtain sensitive information.

CVE-2006-1518

    Specially crafted request packets with invalid length values allow
    the execution of arbitrary code.

The following vulnerability matrix shows which version of MySQL in
which distribution has this problem fixed:

                   woody            sarge            sid
mysql            3.23.49-8.15        n/a             n/a
mysql-dfsg          n/a         4.0.24-10sarge2      n/a
mysql-dfsg-4.1      n/a         4.1.11a-4sarge3      n/a
mysql-dfsg-5.0      n/a              n/a           5.0.21-3

We recommend that you upgrade your mysql packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge3.dsc
      Size/MD5 checksum:     1029 fe1531d1b5169733638e64b98a0f2472
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge3.diff.gz
      Size/MD5 checksum:   166194 9ebbc861250d2e411a5e35cb7fc7fa6b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
      Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge3_all.deb
      Size/MD5 checksum:    36074 dfb28c5169a7eaffd8fe72748a4a8a44

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_alpha.deb
      Size/MD5 checksum:  1590330 f982bc8df8b3ff88b6284e81223d69b5
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_alpha.deb
      Size/MD5 checksum:  7965144 881d5404f897d454100ee9a0b758b22b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_alpha.deb
      Size/MD5 checksum:  1000496 30eb22210f99994481d1cb8d0f49ea70
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_alpha.deb
      Size/MD5 checksum: 17487728 c0a3b1d60dd487ae9d468dc7052c4c1b

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_amd64.deb
      Size/MD5 checksum:  1451580 f407ef8b6c520b23020df6f8ce4495aa
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_amd64.deb
      Size/MD5 checksum:  5551440 d1ded46c8b586cdee728fab22180208f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_amd64.deb
      Size/MD5 checksum:   849082 9161807c8c260e7e0e2cd0cb9fa3a79d
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_amd64.deb
      Size/MD5 checksum: 14711044 d2d9275ff03c2c04adb64658a7e78564

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_arm.deb
      Size/MD5 checksum:  1388548 d823fd3ad8b1c5d54bfd7dbfc0957809
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_arm.deb
      Size/MD5 checksum:  5558362 4f49eae43b10441c852a91f02d9383fc
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_arm.deb
      Size/MD5 checksum:   836292 8616c375f5da29fac8c75081475390e8
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_arm.deb
      Size/MD5 checksum: 14557420 ac1dd6ea1d457a55f0920cf5367df57a

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_i386.deb
      Size/MD5 checksum:  1417574 c6bdb99fa2ab2def5403bfd97657b3bf
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_i386.deb
      Size/MD5 checksum:  5643226 a407082ba8a04f1753f70fe9c8e3f70c
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_i386.deb
      Size/MD5 checksum:   830226 997baad8b8255166dfebd155f24c7558
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_i386.deb
      Size/MD5 checksum: 14557608 c73ddde57d286c9df3742d5fd619281b

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_ia64.deb
      Size/MD5 checksum:  1712842 eef94aab0159f71a9fd90772f91b4a76
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_ia64.deb
      Size/MD5 checksum:  7782132 755cc9d914f6ae116d5540920bf8dc99
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_ia64.deb
      Size/MD5 checksum:  1050204 b2ee7722223cb450f866ce69852fe304
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_ia64.deb
      Size/MD5 checksum: 18475254 c72ffcb6e1e7796b466950aceae48bb3

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_hppa.deb
      Size/MD5 checksum:  1550772 a7627788d338b1ee32017bbafcdd1bcd
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_hppa.deb
      Size/MD5 checksum:  6249776 3d4fc83da65ac4fe5a4b6135a20debf8
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_hppa.deb
      Size/MD5 checksum:   909638 ebf27138ed29103d90e6be0f5a8e28a0
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_hppa.deb
      Size/MD5 checksum: 15791200 3be40e327c9c309556f9b767fe6b8e58

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_m68k.deb
      Size/MD5 checksum:  1397530 e0e5f01d008cd40ee38b7e7a30f5d69e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_m68k.deb
      Size/MD5 checksum:  5283788 d4186f7a2c0c231d4376087a51b74a5a
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_m68k.deb
      Size/MD5 checksum:   803448 772bd59ae1d8ea5af95dc2b416661608
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_m68k.deb
      Size/MD5 checksum: 14071540 766cce55819838830b209a23b343c5c2

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_mips.deb
      Size/MD5 checksum:  1478502 618699397eb82eead99acf01c4d25f59
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_mips.deb
      Size/MD5 checksum:  6052694 7fe59dab19ac323389bdbefefcb2f472
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_mips.deb
      Size/MD5 checksum:   904080 d140aaa93ad6fc52372b6860f5196685
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_mips.deb
      Size/MD5 checksum: 15410072 ffd30ff403a343eda1467d543a9485bc

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_mipsel.deb
      Size/MD5 checksum:  1445934 a5642a17a417b705c53b6689727f28d9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_mipsel.deb
      Size/MD5 checksum:  5971150 cb94a8fac63741d802344a41758108e1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_mipsel.deb
      Size/MD5 checksum:   889688 bf8b2046d3da235c9717342c0fe802d7
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_mipsel.deb
      Size/MD5 checksum: 15104986 c67d26b51c37892ced55a971c3e2ed73

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_powerpc.deb
      Size/MD5 checksum:  1476442 b6365d6bef0817718550fd344151b3a6
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_powerpc.deb
      Size/MD5 checksum:  6027254 cb0be5d5ff7180c0e36850a69a5159c6
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_powerpc.deb
      Size/MD5 checksum:   906982 23b1bb52a6df22e84f3677e3eec0c0b4
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_powerpc.deb
      Size/MD5 checksum: 15402586 2af7f90038dbb3f60cc1c62c159ff18e

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_s390.deb
      Size/MD5 checksum:  1538088 68fd210fd6eb741baa8ae48540ce696c
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_s390.deb
      Size/MD5 checksum:  5461222 0734f9fec16ab4b2aa96bc53fb68fdae
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_s390.deb
      Size/MD5 checksum:   883848 4cf9f929345df7259c78b731a8eda589
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_s390.deb
      Size/MD5 checksum: 15055130 883b34ff52b3fffdf62845cabe5a99c4

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge3_sparc.deb
      Size/MD5 checksum:  1460258 513bb61a8a20c6eb55722b37a21010eb
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge3_sparc.deb
      Size/MD5 checksum:  6207684 b6191cb684d4d7057d5577840d932d6d
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge3_sparc.deb
      Size/MD5 checksum:   867786 a695ec3e218569ce84ad39413e113123
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge3_sparc.deb
      Size/MD5 checksum: 15391404 79c1c0e272f8f21b9b72486945104400


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEceD5W5ql+IAeqTIRAgMXAJ9HEJIeepWNbNODO+eYZ4U6Nix4cACgrca3
Z4KxnuPVh9m6XDvu0An6fM4=
=4K+c
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ