lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060529060651.AAABCFD8C__32350.4506530755$1148917408$gmane$org@finlandia.infodrom.north.de>
Date: Mon, 29 May 2006 08:06:51 +0200 (CEST)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1079-1] New MySQL 4.0 packages fix several vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1079-1                    security@...ian.org
http://www.debian.org/security/                             Martin Schulze
May 29th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mysql-dfsg
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518
CERT advisory  : VU#602457
BugTraq IDs    : 16850 17780
Debian Bugs    : 366044 366049 366163

Several vulnerabilities have been discovered in MySQL, a popular SQL
database.  The Common Vulnerabilities and Exposures Project identifies
the following problems:

CVE-2006-0903

    Improper handling of SQL queries containing the NULL character
    allow local users to bypass logging mechanisms.

CVE-2006-1516

    Usernames without a trailing null byte allow remote attackers to
    read portions of memory.

CVE-2006-1517

    A request with an incorrect packet length allows remote attackers
    to obtain sensitive information.

CVE-2006-1518

    Specially crafted request packets with invalid length values allow
    the execution of arbitrary code.

The following vulnerability matrix shows which version of MySQL in
which distribution has this problem fixed:

                   woody            sarge            sid
mysql            3.23.49-8.15        n/a             n/a
mysql-dfsg          n/a         4.0.24-10sarge2      n/a
mysql-dfsg-4.1      n/a         4.1.11a-4sarge3      n/a
mysql-dfsg-5.0      n/a              n/a           5.0.21-3

We recommend that you upgrade your mysql packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.dsc
      Size/MD5 checksum:      966 42f14bb83f832f0f88bdabb317f62df8
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.diff.gz
      Size/MD5 checksum:    98938 9aaf7d794c14faa63a05d7630f683383
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
      Size/MD5 checksum:  9923794 aed8f335795a359f32492159e3edfaa3

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-common_4.0.24-10sarge2_all.deb
      Size/MD5 checksum:    34566 f4aa726f5f9ec79e42799a40faabcf17

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum:   356730 97904c2a773bc61c643e4dce283a2862
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum:  4533478 8edafbc553d062864c4bb17cbca3211b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum:   520712 5883aef348e2eb1321b21051cdd604be
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum:  4890620 824e4c4c078ef73612fccbea7e209651

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum:   309490 c7943142f1f618987c87073c5893174e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum:  3182676 e62cc19620500c5430447978b7e645c6
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum:   434022 55e3f43e8ac136951fc1b679df820cd1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum:  3878414 5ab561357abca1720b9942c9f8e78a4e

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum:   288180 6869739c00a8151a181ec8cfffe1ec70
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum:  2848430 945158edc0fba528a04f98170fe55921
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum:   414176 8ecea50cf576d50bd5ceb6424915da52
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum:  3482538 ae6cb51798ea91d7b6009dcd80a55e43

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum:   296570 7cdd0f7a094215ab98249514031ef9a0
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum:  2922132 84cffb8467493bcf0cf49ef3a21caa67
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum:   415162 7bb2bfd6b9853d51abbf958eeed5b23f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum:  3645982 b2d2991bee2e019a45cbaa39fa7e9f6b

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum:   395396 b03b6af8b0e21c8e80bbc8d2ef5c7817
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum:  4472590 aa5afd6648c2034fd0d254100e2e42fc
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum:   562984 e357eebc432a81d9f8f4c94f365528d4
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum:  5328582 1f528438e2282f4b51c13932d70875fd

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum:   329948 864b11f30e86d7d2921caeda238f22f9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum:  3314390 12c74247254b89c93dc5aecf74c3249f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum:   456078 cf903d0dcb745d67f4ad66ad3a4b66f2
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum:  3947304 f8feb350cc9a6db2979d215ea6735bda

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum:   279504 9a202261b9627190d15ab5bb7e98d0e2
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum:  2665612 e49f8b011912473604c9df82047fd244
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum:   390304 d04f65d12c590a0239408e3293c80714
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum:  3293046 8a049030853d08742488a1e4dabc504d

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_mips.deb
      Size/MD5 checksum:   314170 41c279180276fcf8effa8573fe75a158
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mips.deb
      Size/MD5 checksum:  3182296 f9fe3b82095434f04871092f1431d2d1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_mips.deb
      Size/MD5 checksum:   457290 19243ed43a65f65a3dee76657274f365
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_mips.deb
      Size/MD5 checksum:  3813374 f71b04ee43e3629dd410dd72e0d1ac15

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_mipsel.deb
      Size/MD5 checksum:   313862 ae441e9b7d18e9f5b16a01243f8a292b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mipsel.deb
      Size/MD5 checksum:  3170026 7fdcb95df46e805c350d1035e5e3534e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_mipsel.deb
      Size/MD5 checksum:   457296 fe2c3473cbcf10cbacb4a9606a8b285a
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_mipsel.deb
      Size/MD5 checksum:  3800380 db0f0b418fb92dd9978fe75df5356fef

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_powerpc.deb
      Size/MD5 checksum:   315104 3f28badbf686cbff4a4905bdc507e31d
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_powerpc.deb
      Size/MD5 checksum:  3184308 8c986e6f386b84f960894575e557c6b7
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_powerpc.deb
      Size/MD5 checksum:   464662 d48488660fc50361bdb58dc446a67b89
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_powerpc.deb
      Size/MD5 checksum:  3842406 902b6725bcbf405d723f3bdb1f86b52b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_s390.deb
      Size/MD5 checksum:   324700 5e52e1cc8b4781dd510c0c36e54cef11
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_s390.deb
      Size/MD5 checksum:  2830282 e6dd53a143318bb922716105e9be4131
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_s390.deb
      Size/MD5 checksum:   442420 41c28b4e3e625278b6231be2c254e75c
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_s390.deb
      Size/MD5 checksum:  3665834 d8283a9161d27bec024d5f24822847ae

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_sparc.deb
      Size/MD5 checksum:   304688 6e3e90483f30e8c1e002594b69bbd7f9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_sparc.deb
      Size/MD5 checksum:  3270002 eb343d64b0e0b4d0c2f6f2197148f3e9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_sparc.deb
      Size/MD5 checksum:   430014 568bcb494e04f9e47e419a9cc7a7c49b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_sparc.deb
      Size/MD5 checksum:  3821652 2714c3d57dd30d1ef31951d452660f7c


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEeo97W5ql+IAeqTIRAuTLAJwKm6rRzBaeZmQ4y9Y7wv02RQpt9QCdFMTf
FRJBNsjzYnZHLqWfE15sizQ=
=eOok
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ