[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1KxwLg-0007w1-AP@klecker.debian.org>
Date: Thu, 06 Nov 2008 04:20:00 +0000
From: Devin Carraway <devin@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1662-1] New mysql-dfsg-5.0 packages fix authorization bypass
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1662-1 security@...ian.org
http://www.debian.org/security/ Devin Carraway
November 06, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : mysql-dfsg-5.0
Vulnerability : authorization bypass
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-4098
Debian Bug : 480292
A symlink traversal vulnerability was discovered in MySQL, a
relational database server. The weakness could permit an attacker
having both CREATE TABLE access to a database and the ability to
execute shell commands on the database server to bypass MySQL access
controls, enabling them to write to tables in databases to which they
would not ordinarily have access.
The Common Vulnerabilities and Exposures project identifies this
vulnerability as CVE-2008-4098. Note that a closely aligned issue,
identified as CVE-2008-4097, was prevented by the update announced in
DSA-1608-1. This new update supercedes that fix and mitigates both
potential attack vectors.
For the stable distribution (etch), this problem has been fixed in
version 5.0.32-7etch8.
We recommend that you upgrade your mysql packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz
Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.dsc
Size/MD5 checksum: 1117 6456a5396b56431a31e2121805ef3208
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.diff.gz
Size/MD5 checksum: 269277 bc749451446872ac8c8567ed60b0eea6
Architecture independent packages:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch8_all.deb
Size/MD5 checksum: 48142 761dce88bf46026622550e503800d4c3
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch8_all.deb
Size/MD5 checksum: 54452 64140dddeb7bd50098ddc6222b4d2939
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch8_all.deb
Size/MD5 checksum: 46068 0a67c6a61d08bf716c0af68da1585563
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_alpha.deb
Size/MD5 checksum: 8405572 ceda4648a1bbc48f087f8763350c04e7
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_alpha.deb
Size/MD5 checksum: 27385278 b5435c8d77f64e1855300e1988570333
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_alpha.deb
Size/MD5 checksum: 8909972 e76dc32887c4baf25721eff971aa9d60
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_alpha.deb
Size/MD5 checksum: 48170 c6eb1472bb6cf4fad708c23dd9a78cf8
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_alpha.deb
Size/MD5 checksum: 1947544 73d751f95dc5604d159df910a3157f45
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_amd64.deb
Size/MD5 checksum: 1831314 6ed359b8f2fb92c5c9846a3743e4b0f8
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_amd64.deb
Size/MD5 checksum: 7549266 ca948f5c66f2172927acd9e5cbf7c9ae
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_amd64.deb
Size/MD5 checksum: 7371842 7ff54b963be65b5e7d18425cd313bbcb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_amd64.deb
Size/MD5 checksum: 48178 127af2553cc1fd9e89f1f69a2eb44709
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_amd64.deb
Size/MD5 checksum: 25813464 06dc8568f055c04dc4ddfd19de79a704
arm architecture (ARM)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_arm.deb
Size/MD5 checksum: 48230 2a5b1b7b2ed8c94301fc60bd49be7991
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_arm.deb
Size/MD5 checksum: 7208004 9e268d05c77d521dbe0366961534cdf2
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_arm.deb
Size/MD5 checksum: 25347882 b89ba96f815a27ebe70014d8c16e6bc0
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_arm.deb
Size/MD5 checksum: 6930850 21ec3a8f5a6634454db8dec30fea9e65
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_arm.deb
Size/MD5 checksum: 1748390 1877d302ebc91e8ccf104ba2d75479a6
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_hppa.deb
Size/MD5 checksum: 27178846 d5b6eb3072bb2e8f2d114b182701a736
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_hppa.deb
Size/MD5 checksum: 8060958 f4d89fec611eb37939d98f3e52391b21
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_hppa.deb
Size/MD5 checksum: 48174 be34e4d2b05e4b294f5a3396611d4126
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_hppa.deb
Size/MD5 checksum: 1920860 8ef8d38dc53e5f81eebcad330103062a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_hppa.deb
Size/MD5 checksum: 8003664 50496388e230ba0e337fadb5611c1bec
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_i386.deb
Size/MD5 checksum: 1792994 2ee1e253198f7f67be79b40fbcee703a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_i386.deb
Size/MD5 checksum: 6961428 8be34f2ed518aa47148502b93e468ac0
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_i386.deb
Size/MD5 checksum: 25233474 cf39de0d83a65da443fb77e37976d19b
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_i386.deb
Size/MD5 checksum: 7199354 d144813e5cd27c684cb8ff45a987159e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_i386.deb
Size/MD5 checksum: 48166 2f4ab0db379d477d4ea15191a1ff4a7c
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_ia64.deb
Size/MD5 checksum: 2115810 09e39bed782c6c2e7d689aa999adbfb1
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_ia64.deb
Size/MD5 checksum: 10342902 c091c2d6b6f02d120b513f07ecada159
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_ia64.deb
Size/MD5 checksum: 9739330 f158dd90752b99efe92bca049b991696
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_ia64.deb
Size/MD5 checksum: 30403740 c3daa72e6e34c54f8053887a52395e36
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_ia64.deb
Size/MD5 checksum: 48170 b9f94375cccf2cb2a3aff60b232b400b
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mips.deb
Size/MD5 checksum: 7674430 311032237de0d11e91d591b006ab6e60
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mips.deb
Size/MD5 checksum: 48214 0751225fd59fce147105362c6cc30b16
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mips.deb
Size/MD5 checksum: 7759738 74a1bd32b13f0c57f67100b6c0422d6e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mips.deb
Size/MD5 checksum: 1835426 f425af4483842630558bdcaaba7ac1ee
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mips.deb
Size/MD5 checksum: 26472386 ed2e2a0eb36de7424d5bd03ab8f3b8f7
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mipsel.deb
Size/MD5 checksum: 25846914 766bcfbde62e9f75fc09f8892b1f6095
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mipsel.deb
Size/MD5 checksum: 7563074 fb084ab6a02dcf12fde22c740d6d63ac
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mipsel.deb
Size/MD5 checksum: 7642196 c58f251badf84dd7527f6bcf74bc1846
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mipsel.deb
Size/MD5 checksum: 48174 92fe38d06aac7ca0a1ff1a26f5858704
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mipsel.deb
Size/MD5 checksum: 1789960 0864b73e16d14ed1776879d3ef2ab5c1
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_powerpc.deb
Size/MD5 checksum: 7575148 351f97505dde5ce74808b38008a04d1f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_powerpc.deb
Size/MD5 checksum: 7513654 5d9f12246f363b4eaab281e6c37ccf48
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_powerpc.deb
Size/MD5 checksum: 26169508 81c25c622b35bec7d709f8fef4b3ba03
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_powerpc.deb
Size/MD5 checksum: 48174 43cdd4b621fa97e345162fb5a11c3321
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_powerpc.deb
Size/MD5 checksum: 1833008 a031cdc91532615006e3433ea1a2b9cc
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_s390.deb
Size/MD5 checksum: 48172 b15d4493389f2d371d933b3cfec9dbfa
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_s390.deb
Size/MD5 checksum: 7508416 7950a277db319634c2a61162c531d9f8
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_s390.deb
Size/MD5 checksum: 1952408 4035d4b30041b76cdad65f5093d0191e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_s390.deb
Size/MD5 checksum: 26765686 38ad49284aa88c6157c496f5583e81b4
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_s390.deb
Size/MD5 checksum: 7414890 b61ee866d423474e4e76e68527d09b31
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_sparc.deb
Size/MD5 checksum: 7159698 8ec6e96934ed76dbae21d28ebb701f02
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_sparc.deb
Size/MD5 checksum: 25578698 e0cd9496cac89eb22ba854b3e10ca96b
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_sparc.deb
Size/MD5 checksum: 7028544 fa58c135613be17bd723fea6c4f4de0d
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_sparc.deb
Size/MD5 checksum: 1798226 b1a13379770a9b860a6328176c93eecd
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_sparc.deb
Size/MD5 checksum: 48218 9e6c78e0ae63d91c3361ff106ca0d4a7
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJEmvqU5XKDemr/NIRAtjFAKD0b1I33j80Z6JworeVVlNHKuW4yQCfVusE
I5MOY2TVITMgVkkzs7IrQTw=
=5+yr
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists