lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1KxwLg-0007w1-AP@klecker.debian.org>
Date: Thu, 06 Nov 2008 04:20:00 +0000
From: Devin Carraway <devin@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1662-1] New mysql-dfsg-5.0 packages fix authorization bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1662-1                  security@...ian.org
http://www.debian.org/security/                           Devin Carraway
November 06, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : mysql-dfsg-5.0
Vulnerability  : authorization bypass
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-4098
Debian Bug     : 480292

A symlink traversal vulnerability was discovered in MySQL, a
relational database server.  The weakness could permit an attacker
having both CREATE TABLE access to a database and the ability to
execute shell commands on the database server to bypass MySQL access
controls, enabling them to write to tables in databases to which they
would not ordinarily have access.

The Common Vulnerabilities and Exposures project identifies this
vulnerability as CVE-2008-4098.  Note that a closely aligned issue,
identified as CVE-2008-4097, was prevented by the update announced in
DSA-1608-1.  This new update supercedes that fix and mitigates both
potential attack vectors.

For the stable distribution (etch), this problem has been fixed in
version 5.0.32-7etch8.

We recommend that you upgrade your mysql packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz
    Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.dsc
    Size/MD5 checksum:     1117 6456a5396b56431a31e2121805ef3208
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.diff.gz
    Size/MD5 checksum:   269277 bc749451446872ac8c8567ed60b0eea6

Architecture independent packages:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch8_all.deb
    Size/MD5 checksum:    48142 761dce88bf46026622550e503800d4c3
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch8_all.deb
    Size/MD5 checksum:    54452 64140dddeb7bd50098ddc6222b4d2939
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch8_all.deb
    Size/MD5 checksum:    46068 0a67c6a61d08bf716c0af68da1585563

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_alpha.deb
    Size/MD5 checksum:  8405572 ceda4648a1bbc48f087f8763350c04e7
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_alpha.deb
    Size/MD5 checksum: 27385278 b5435c8d77f64e1855300e1988570333
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_alpha.deb
    Size/MD5 checksum:  8909972 e76dc32887c4baf25721eff971aa9d60
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_alpha.deb
    Size/MD5 checksum:    48170 c6eb1472bb6cf4fad708c23dd9a78cf8
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_alpha.deb
    Size/MD5 checksum:  1947544 73d751f95dc5604d159df910a3157f45

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_amd64.deb
    Size/MD5 checksum:  1831314 6ed359b8f2fb92c5c9846a3743e4b0f8
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_amd64.deb
    Size/MD5 checksum:  7549266 ca948f5c66f2172927acd9e5cbf7c9ae
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_amd64.deb
    Size/MD5 checksum:  7371842 7ff54b963be65b5e7d18425cd313bbcb
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_amd64.deb
    Size/MD5 checksum:    48178 127af2553cc1fd9e89f1f69a2eb44709
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_amd64.deb
    Size/MD5 checksum: 25813464 06dc8568f055c04dc4ddfd19de79a704

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_arm.deb
    Size/MD5 checksum:    48230 2a5b1b7b2ed8c94301fc60bd49be7991
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_arm.deb
    Size/MD5 checksum:  7208004 9e268d05c77d521dbe0366961534cdf2
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_arm.deb
    Size/MD5 checksum: 25347882 b89ba96f815a27ebe70014d8c16e6bc0
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_arm.deb
    Size/MD5 checksum:  6930850 21ec3a8f5a6634454db8dec30fea9e65
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_arm.deb
    Size/MD5 checksum:  1748390 1877d302ebc91e8ccf104ba2d75479a6

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_hppa.deb
    Size/MD5 checksum: 27178846 d5b6eb3072bb2e8f2d114b182701a736
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_hppa.deb
    Size/MD5 checksum:  8060958 f4d89fec611eb37939d98f3e52391b21
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_hppa.deb
    Size/MD5 checksum:    48174 be34e4d2b05e4b294f5a3396611d4126
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_hppa.deb
    Size/MD5 checksum:  1920860 8ef8d38dc53e5f81eebcad330103062a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_hppa.deb
    Size/MD5 checksum:  8003664 50496388e230ba0e337fadb5611c1bec

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_i386.deb
    Size/MD5 checksum:  1792994 2ee1e253198f7f67be79b40fbcee703a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_i386.deb
    Size/MD5 checksum:  6961428 8be34f2ed518aa47148502b93e468ac0
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_i386.deb
    Size/MD5 checksum: 25233474 cf39de0d83a65da443fb77e37976d19b
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_i386.deb
    Size/MD5 checksum:  7199354 d144813e5cd27c684cb8ff45a987159e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_i386.deb
    Size/MD5 checksum:    48166 2f4ab0db379d477d4ea15191a1ff4a7c

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_ia64.deb
    Size/MD5 checksum:  2115810 09e39bed782c6c2e7d689aa999adbfb1
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_ia64.deb
    Size/MD5 checksum: 10342902 c091c2d6b6f02d120b513f07ecada159
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_ia64.deb
    Size/MD5 checksum:  9739330 f158dd90752b99efe92bca049b991696
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_ia64.deb
    Size/MD5 checksum: 30403740 c3daa72e6e34c54f8053887a52395e36
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_ia64.deb
    Size/MD5 checksum:    48170 b9f94375cccf2cb2a3aff60b232b400b

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mips.deb
    Size/MD5 checksum:  7674430 311032237de0d11e91d591b006ab6e60
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mips.deb
    Size/MD5 checksum:    48214 0751225fd59fce147105362c6cc30b16
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mips.deb
    Size/MD5 checksum:  7759738 74a1bd32b13f0c57f67100b6c0422d6e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mips.deb
    Size/MD5 checksum:  1835426 f425af4483842630558bdcaaba7ac1ee
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mips.deb
    Size/MD5 checksum: 26472386 ed2e2a0eb36de7424d5bd03ab8f3b8f7

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mipsel.deb
    Size/MD5 checksum: 25846914 766bcfbde62e9f75fc09f8892b1f6095
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mipsel.deb
    Size/MD5 checksum:  7563074 fb084ab6a02dcf12fde22c740d6d63ac
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mipsel.deb
    Size/MD5 checksum:  7642196 c58f251badf84dd7527f6bcf74bc1846
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mipsel.deb
    Size/MD5 checksum:    48174 92fe38d06aac7ca0a1ff1a26f5858704
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mipsel.deb
    Size/MD5 checksum:  1789960 0864b73e16d14ed1776879d3ef2ab5c1

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_powerpc.deb
    Size/MD5 checksum:  7575148 351f97505dde5ce74808b38008a04d1f
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_powerpc.deb
    Size/MD5 checksum:  7513654 5d9f12246f363b4eaab281e6c37ccf48
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_powerpc.deb
    Size/MD5 checksum: 26169508 81c25c622b35bec7d709f8fef4b3ba03
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_powerpc.deb
    Size/MD5 checksum:    48174 43cdd4b621fa97e345162fb5a11c3321
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_powerpc.deb
    Size/MD5 checksum:  1833008 a031cdc91532615006e3433ea1a2b9cc

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_s390.deb
    Size/MD5 checksum:    48172 b15d4493389f2d371d933b3cfec9dbfa
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_s390.deb
    Size/MD5 checksum:  7508416 7950a277db319634c2a61162c531d9f8
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_s390.deb
    Size/MD5 checksum:  1952408 4035d4b30041b76cdad65f5093d0191e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_s390.deb
    Size/MD5 checksum: 26765686 38ad49284aa88c6157c496f5583e81b4
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_s390.deb
    Size/MD5 checksum:  7414890 b61ee866d423474e4e76e68527d09b31

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_sparc.deb
    Size/MD5 checksum:  7159698 8ec6e96934ed76dbae21d28ebb701f02
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_sparc.deb
    Size/MD5 checksum: 25578698 e0cd9496cac89eb22ba854b3e10ca96b
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_sparc.deb
    Size/MD5 checksum:  7028544 fa58c135613be17bd723fea6c4f4de0d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_sparc.deb
    Size/MD5 checksum:  1798226 b1a13379770a9b860a6328176c93eecd
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_sparc.deb
    Size/MD5 checksum:    48218 9e6c78e0ae63d91c3361ff106ca0d4a7


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJEmvqU5XKDemr/NIRAtjFAKD0b1I33j80Z6JworeVVlNHKuW4yQCfVusE
I5MOY2TVITMgVkkzs7IrQTw=
=5+yr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ