lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1226954526.8216.5.camel@mdlinux.technorage.com>
Date: Mon, 17 Nov 2008 15:42:06 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-671-1] MySQL vulnerabilities

===========================================================
Ubuntu Security Notice USN-671-1          November 17, 2008
mysql-dfsg-5.0 vulnerabilities
CVE-2008-2079, CVE-2008-3963, CVE-2008-4097, CVE-2008-4098
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mysql-server-5.0                5.0.22-0ubuntu6.06.11

Ubuntu 7.10:
  mysql-server-5.0                5.0.45-1ubuntu3.4

Ubuntu 8.04 LTS:
  mysql-server-5.0                5.0.51a-3ubuntu5.4

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use the
DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege
checks. This update alters table creation behaviour by disallowing the
use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY
options. (CVE-2008-2079, CVE-2008-4097 and CVE-2008-4098)

It was discovered that MySQL did not handle empty bit-string literals
properly. An attacker could exploit this problem and cause the MySQL
server to crash, leading to a denial of service. (CVE-2008-3963)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.11.diff.gz
      Size/MD5:   166038 5bb9d1f41b8a34e3f935d87cf8ea553c
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.11.dsc
      Size/MD5:     1124 dfb2b087d32df29aa9697dd004c488c4
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22.orig.tar.gz
      Size/MD5: 18446645 2b8f36364373461190126817ec872031

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.22-0ubuntu6.06.11_all.deb
      Size/MD5:    38944 2f54e68e4fa140998c0cb78a70fc119e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.22-0ubuntu6.06.11_all.deb
      Size/MD5:    41488 ef268bffd224ccf90dd590820de702a7
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.22-0ubuntu6.06.11_all.deb
      Size/MD5:    38948 6bd7b45911f2bacec67d578ee812f110

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_amd64.deb
      Size/MD5:  6729886 af2c395368182937c76d5f165d478df3
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_amd64.deb
      Size/MD5:  1423924 58ca08b4eef39c0e2d34aaa2cddf42cb
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_amd64.deb
      Size/MD5:  6897622 fc9e0c76dbde4321de287a102c002db2
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_amd64.deb
      Size/MD5: 22493516 ec7f8f5c669bb7f1ca0b7d54bd63ca7d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_i386.deb
      Size/MD5:  6142732 d411a303d293fd8559f042ce230615d1
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_i386.deb
      Size/MD5:  1384350 1dcfa047e463b45f45942ac0bea623b1
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_i386.deb
      Size/MD5:  6280092 9a555aa506be5086d952af12afbf5b3d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_i386.deb
      Size/MD5: 21352916 0285f357ed2a35ecbd81b7f13fcbe0dd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_powerpc.deb
      Size/MD5:  6886660 c3f1cef7637a94b3c4ba3d3cc74a4a36
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_powerpc.deb
      Size/MD5:  1464208 1ab2aa38f4e27b74e3d3e962e44977e3
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_powerpc.deb
      Size/MD5:  6944814 311ed284fb1456d3e20fc49b53ae1020
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_powerpc.deb
      Size/MD5: 22708138 87480f1d414b63dd32f9bc017786573e

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_sparc.deb
      Size/MD5:  6435552 66ae0f7ef9fef58a118965e54af6d751
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_sparc.deb
      Size/MD5:  1436346 e2c0b9566472e770eb2d58be24de248c
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_sparc.deb
      Size/MD5:  6542200 09a89f54af6584167a1cae9cffbc735f
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_sparc.deb
      Size/MD5: 21974286 cab9ee96e01b4df8243bf74767819088

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45-1ubuntu3.4.diff.gz
      Size/MD5:   243362 6b79d30861b757447d41706e3731e395
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45-1ubuntu3.4.dsc
      Size/MD5:     1302 9a87569e45aded8c98c43d53c12d30de
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45.orig.tar.gz
      Size/MD5: 17801680 ab450aa2e9b89f3b4e01fd12375b1bee

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.45-1ubuntu3.4_all.deb
      Size/MD5:    48538 8338809ac72972866d2363a6ce681c15
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.45-1ubuntu3.4_all.deb
      Size/MD5:    56744 71342b47c409b2b4e4ead8c8cef4e7f8
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.45-1ubuntu3.4_all.deb
      Size/MD5:    50738 2e37d678979ce0a893092d1ff949d4e1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_amd64.deb
      Size/MD5:  7564626 120e18e6fc2d3208b0531cac5d8209a0
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_amd64.deb
      Size/MD5:  1917186 838695d874b436643792bec417299410
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_amd64.deb
      Size/MD5:  7999284 e73b18453d17f783e5e4c4653e7ff893
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_amd64.deb
      Size/MD5: 27571570 6f0e6edd92ab9f107149952c4fc5e14d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_i386.deb
      Size/MD5:  7043450 a33ba64ed57deb1bef09ddae94abe8c0
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_i386.deb
      Size/MD5:  1867614 f16cc5ff9ffdf951f47da895a4f40f93
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_i386.deb
      Size/MD5:  7497426 43ab893a69ae8bf09d8795281509d50d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_i386.deb
      Size/MD5: 26786564 33eceaf638a2d9042d32b41b2498394a

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_lpia.deb
      Size/MD5:  7023394 ce3cbd8d1d3636158e26aac448f17e6e
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_lpia.deb
      Size/MD5:  1843862 33187655eeaf528d82620681bab73a9b
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_lpia.deb
      Size/MD5:  7518330 457f957ebbf1cc88d7bd433354b99d8b
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_lpia.deb
      Size/MD5: 26760376 b52d4eea4a46f8eab45d1b991dd6bfae

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_powerpc.deb
      Size/MD5:  7762838 9ba0474b47f276590162a3c85c0d382f
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_powerpc.deb
      Size/MD5:  1949498 2fe6fd7147097a2dbe1768b12a505fc9
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_powerpc.deb
      Size/MD5:  8066000 0a14243fe3631806abb5de27bd3e03dc
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_powerpc.deb
      Size/MD5: 28023398 138612db5e9249bb2c54f4d71a0914d3

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_sparc.deb
      Size/MD5:  7173132 2b4016c87626737b6a970ed169c80a24
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_sparc.deb
      Size/MD5:  1877642 14963beda22c01f734c403822d561ef8
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_sparc.deb
      Size/MD5:  7583722 c1a60b545f38172c683d76ea953f41f6
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_sparc.deb
      Size/MD5: 27140728 b79d11ad9b4cf9b20a92ca1bfccf6eeb

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-3ubuntu5.4.diff.gz
      Size/MD5:   314416 a98a2519ef59bc5b0cef4940c4961f35
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-3ubuntu5.4.dsc
      Size/MD5:     1430 57f5a32ccf3d46aefcb56407fc238007
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz
      Size/MD5: 17946664 6fae978908ad5eb790fa3f24f16dadba

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-3ubuntu5.4_all.deb
      Size/MD5:    52052 8200893fa342e477a2af354d141015e7
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-3ubuntu5.4_all.deb
      Size/MD5:    60302 8e8d4aa0af490eeadde3d1684c669de1
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-3ubuntu5.4_all.deb
      Size/MD5:    54240 34a21b40b4e18dd8dbfbf5ca30fd8e53

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_amd64.deb
      Size/MD5:  7594702 71f4511bd9ce2275d080bf4f27e8f4dd
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_amd64.deb
      Size/MD5:  1877812 afa3900abcb025df70ccc444444a006a
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_amd64.deb
      Size/MD5:  8241010 cdb59824c82d8412a4f324f38f9c1260
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_amd64.deb
      Size/MD5: 28018274 b106f4f668381cd55a5da7d40be9e7ce

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_i386.deb
      Size/MD5:  7216262 f252c8299c00e805022a99374561eeba
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_i386.deb
      Size/MD5:  1836766 247b3c027653b3f6cd9b89320ba7572e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_i386.deb
      Size/MD5:  7826312 f948d312520c64c0d73982e162201f09
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_i386.deb
      Size/MD5: 27427752 090b315903161e7f72d0b7e2be804ee1

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_lpia.deb
      Size/MD5:  7160694 d0bd82cf31dae1cec8ca04241baba49d
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_lpia.deb
      Size/MD5:  1826820 3bb18a419dceccfb58aa5d3cd99bf31a
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_lpia.deb
      Size/MD5:  7840058 80f24b9ce82a2f93f4ed8ce635114e7a
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_lpia.deb
      Size/MD5: 27357990 65e92cb0e552509a820410351456fa97

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_powerpc.deb
      Size/MD5:  7587468 045eee93159914db564084d88a3d5304
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_powerpc.deb
      Size/MD5:  1915302 eef9aedee7b37cb81a9a980d42049406
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_powerpc.deb
      Size/MD5:  8241574 7f57a684310fe601446729a3e539b49f
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_powerpc.deb
      Size/MD5: 28344344 d3be9955a55a22ced19fe9d25b129bd6

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_sparc.deb
      Size/MD5:  7199786 d2c692836274f21677499177121e046b
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_sparc.deb
      Size/MD5:  1846000 b0456b96173850dfa4eb597c4d42f4ac
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_sparc.deb
      Size/MD5:  7830916 cd55ac1ad14ce9713de2e8c9397c1018
    http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_sparc.deb
      Size/MD5: 27642386 8cf989c15071150c10abc1175c048022



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ