lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100607132307.GA6693@SD6-Casa.iuculano.it>
Date: Mon, 7 Jun 2010 15:23:07 +0200
From: Giuseppe Iuculano <iuculano@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 2057-1] New mysql-dfsg-5.0 packages fix several
 vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2057-1                  security@...ian.org
http://www.debian.org/security/                        Giuseppe Iuculano
June 07, 2010                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : mysql-dfsg-5.0
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2010-1626 CVE-2010-1848 CVE-2010-1849 CVE-2010-1850

Several vulnerabilities have been discovered in the MySQL
database server.
The Common Vulnerabilities and Exposures project identifies the
following problems:


CVE-2010-1626

MySQL allows local users to delete the data and index files of another
user's MyISAM table via a symlink attack in conjunction with the DROP
TABLE command.


CVE-2010-1848

MySQL failed to check the table name argument of a COM_FIELD_LIST
command packet for validity and compliance to acceptable table name
standards. This allows an authenticated user with SELECT privileges on
one table to obtain the field definitions of any table in all other
databases and potentially of other MySQL instances accessible from the
server's file system.


CVE-2010-1849

MySQL could be tricked to read packets indefinitely if it received a
packet larger than the maximum size of one packet.
This results in high CPU usage and thus denial of service conditions.


CVE-2010-1850

MySQL was susceptible to a buffer-overflow attack due to a
failure to perform bounds checking on the table name argument of a
COM_FIELD_LIST command packet. By sending long data for the table
name, a buffer is overflown, which could be exploited by an
authenticated user to inject malicious code.


For the stable distribution (lenny), these problems have been fixed in
version 5.0.51a-24+lenny4

The testing (squeeze) and unstable (sid) distribution do not contain
mysql-dfsg-5.0 anymore.

We recommend that you upgrade your mysql-dfsg-5.0 package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny4.diff.gz
    Size/MD5 checksum:   382688 98904282d9b1ba07a5fa441695c9cefd
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny4.dsc
    Size/MD5 checksum:     1746 213d7a9655000a669a9262b68a645b84
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz
    Size/MD5 checksum: 17946664 6fae978908ad5eb790fa3f24f16dadba

Architecture independent packages:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-24+lenny4_all.deb
    Size/MD5 checksum:    53012 7b2c03b1e86bb4634bb65b7fd65a8ce0
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-24+lenny4_all.deb
    Size/MD5 checksum:    55208 0059173c20f96569e532f34e8d8e6d3d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-24+lenny4_all.deb
    Size/MD5 checksum:    61784 165889f524b9cd317462910f34871652

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_alpha.deb
    Size/MD5 checksum:  9069806 dbf1efe0f87962a0ce24c3c2026f08fe
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_alpha.deb
    Size/MD5 checksum:  8921072 4109cdb9b571b8384e22990f049077e5
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_alpha.deb
    Size/MD5 checksum: 28367370 1f7b2cbe390dc19230b83aac2b427a1c
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_alpha.deb
    Size/MD5 checksum:  2017406 121ad24e4ef9408540b34f4c954ea03a

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_amd64.deb
    Size/MD5 checksum:  7586258 dbffd3dcb28daa3070b68f0ee268d6b3
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_amd64.deb
    Size/MD5 checksum: 27296900 030ee9c14fbb373617e77158fb56c40f
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_amd64.deb
    Size/MD5 checksum:  8207020 233dde7fe1c8d16757862037b7f8c551
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_amd64.deb
    Size/MD5 checksum:  1905200 8296b7de029b8208828981d151ad7013

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_arm.deb
    Size/MD5 checksum: 26227842 f2e1a010442bd1b007aa1b12192e507c
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_arm.deb
    Size/MD5 checksum:  7158596 b06eb5f03ef7cbc2bdbda36d5f286411
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_arm.deb
    Size/MD5 checksum:  7614948 a3e30a83a7a314001445b0dd39415516
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_arm.deb
    Size/MD5 checksum:  1779078 69f97725b1aa16018a8b59e3f3723568

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_armel.deb
    Size/MD5 checksum:  7261064 5526963b33325b3d6dec386f203ef4c3
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_armel.deb
    Size/MD5 checksum: 26225224 7ac517f02119cb0d7f9d1dd27d863a0b
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_armel.deb
    Size/MD5 checksum:  7650776 41fd6ce03ecbad3ebc876a145a440bc9
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_armel.deb
    Size/MD5 checksum:  1782498 8c8ffcec7cfcf2deaa622bbd3bd3e890

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_hppa.deb
    Size/MD5 checksum:  8435372 3685c8fbee92cc421e2636956caf726a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_hppa.deb
    Size/MD5 checksum:  1958982 3951104d822d5231b6bcc726bd3f538c
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_hppa.deb
    Size/MD5 checksum: 27898560 9fbee7a1ac008f5229bc1b6063461d8e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_hppa.deb
    Size/MD5 checksum:  8176082 91f0424391f249a6d3f86bd7adfa9bfb

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_i386.deb
    Size/MD5 checksum:  7201148 dec28c17afdfbc427b03b3dc7b16ae80
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_i386.deb
    Size/MD5 checksum:  1860698 fa79c4525944c5fc2938838697991d2a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_i386.deb
    Size/MD5 checksum:  7785564 59607135a3509e3bdf5aacbe0f7b9e27
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_i386.deb
    Size/MD5 checksum: 26655616 660b2d3f55af9a0ffff5dec3ccb265b2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_ia64.deb
    Size/MD5 checksum:  2186514 3643a5fd53f47e6b37a657c2b985de5d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_ia64.deb
    Size/MD5 checksum: 31432404 302295754438d88e1f29543d92cabfee
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_ia64.deb
    Size/MD5 checksum: 10914492 012586f98c3ef1f59105f7252abae54e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_ia64.deb
    Size/MD5 checksum:  9934262 52aaca8c884acb288570c7187dc80fe6

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_mips.deb
    Size/MD5 checksum:  7886638 3674f662a26dee543e841dbc1aa90001
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mips.deb
    Size/MD5 checksum: 26949468 c16b353714abef0109c31f24cd95157a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_mips.deb
    Size/MD5 checksum:  1857996 19eb0e571e285ed370ff048a86c180de
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_mips.deb
    Size/MD5 checksum:  7852966 ad5ceec59cd351e9643f3fe7815899e4

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_mipsel.deb
    Size/MD5 checksum:  7778208 efd2025f639ba1f75601692d1f773482
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mipsel.deb
    Size/MD5 checksum: 26454824 8c5c4d499e98a454d994a9799f867235
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_mipsel.deb
    Size/MD5 checksum:  1818040 983d9f0b274554af24895a9bf9da2d58
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_mipsel.deb
    Size/MD5 checksum:  7724872 2afe270ee53d403ff3d1b5e1449fb6cf

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_powerpc.deb
    Size/MD5 checksum:  1917272 3e0cd81b4034a0572a04f0825f63539f
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_powerpc.deb
    Size/MD5 checksum: 27147186 a29b658c4a423ade01f38d383d8990bb
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_powerpc.deb
    Size/MD5 checksum:  8155688 cf97ff51341b672a192b29fb196a33d8
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_powerpc.deb
    Size/MD5 checksum:  7606414 a5ff20347ea77cba2e1f9775462b4e3b

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_s390.deb
    Size/MD5 checksum: 28243518 d76d51037f58b1a4d55e2721b6b524dd
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_s390.deb
    Size/MD5 checksum:  7703306 7ded6daec5c06279f46e9e077f972fc2
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_s390.deb
    Size/MD5 checksum:  2032080 df093a3278065afc3623d993760142b5
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_s390.deb
    Size/MD5 checksum:  8238026 4121d28d8ee97640c82faf40745d64fb

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_sparc.deb
    Size/MD5 checksum: 26847970 562cd268e46900380d05e83d48e7f854
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_sparc.deb
    Size/MD5 checksum:  7758418 446a2a74ca3c548d3fe9286c7534ca25
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_sparc.deb
    Size/MD5 checksum:  1872840 2ea462a86056196ca11bf08a700f461a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_sparc.deb
    Size/MD5 checksum:  7144452 8bb91966144e610e56f1480f23c6d47a


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwM8rsACgkQNxpp46476aqiMQCfZmJr090XSr9fDzJ6xIIC6qKw
imoAn2qnpAr7dXW3rJL8keHEQhqKOUqX
=ory/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ