[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050607172128.A2489@caldera.com>
Date: Wed Jun 8 01:19:45 2005
From: please_reply_to_security at sco.com (please_reply_to_security@....com)
Subject: UnixWare 7.1.4 : MySQL updated MySQL (version
4.1.11) fixes security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 : MySQL updated MySQL (version 4.1.11) fixes security issues
Advisory number: SCOSA-2005.27
Issue date: 2005 June 06
Cross reference: sr893337 fz531603 erg712817 CAN-2004-0957
______________________________________________________________________________
1. Problem Description
MySQL 3.23.58 and earlier, when a local user has privileges
for a database whose name includes a "_" (underscore),
grants privileges to other databases that have similar
names, which can allow the user to conduct unauthorized
activities.
Please note the abbreviated name of the package has been
changed from "mysql" to "MySQL".
Please see the MySQL site for the complete list of changes at:
http://dev.mysql.com/doc/mysql/en/news-4-1-11.html
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following name CAN-2004-0957 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.27
4.2 Verification
MD5 (MySQL-4.1.11.pkg) = 20d18d0cd571f412b211225e5088e3a2
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download MySQL-4.1.11.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/MySQL-4.1.11.pkg
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr893337 fz531603
erg712817.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
This vulnerability was reported to the vendor by Sergei
Golubchik.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCpOPFaqoBO7ipriERAtZ0AKCL3SviPdj0dPsxIb+Mf+LVFC8zLwCfYVzP
1ObL4/3vIrsBk36NVESIzaA=
=B3kQ
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists