lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1I6Djo-0003kW-Bw@artemis.annvix.ca>
Date: Wed, 04 Jul 2007 16:54:20 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDKSA-2007:139 ] - Updated MySQL packages fix
 multiple security issues


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:139
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : MySQL
 Date    : July 4, 2007
 Affected: 2007.0, 2007.1, Corporate 4.0
 _______________________________________________________________________
 
 Problem Description:
 
 MySQL 5.x before 5.0.36 allows local users to cause a denial of service
 (database crash) by performing information_schema table subselects
 and using ORDER BY to sort a single-row result, which prevents
 certain structure elements from being initialized and triggers a
 NULL dereference in the filesort function. This issue does not affect
 MySQL 5.0.37 in Mandriva Linux 2007.1. (CVE-2007-1420)
 
 The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40,
 and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause
 a denial of service (crash) via a crafted IF clause that results in
 a divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
 
 MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18
 does not require the DROP privilege for RENAME TABLE statements,
 which allows remote authenticated users to rename arbitrary
 tables. (CVE-2007-2691)
 
 Updated packages have been patched to prevent the above issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1420
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2583
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2691
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 21bf6c3cf8908d8ec01317dbbaeda4d4  2007.0/i586/MySQL-5.0.24a-2.1mdv2007.0.i586.rpm
 af81d1d15cceb0906b17ed905c8027c6  2007.0/i586/MySQL-Max-5.0.24a-2.1mdv2007.0.i586.rpm
 a90669dfc21494a4453bc31620513b82  2007.0/i586/MySQL-bench-5.0.24a-2.1mdv2007.0.i586.rpm
 bd4a71a850f5df9c7583d7eff0fa2a88  2007.0/i586/MySQL-client-5.0.24a-2.1mdv2007.0.i586.rpm
 6cbd4325f98ba34c3c0c07da93edf9f7  2007.0/i586/MySQL-common-5.0.24a-2.1mdv2007.0.i586.rpm
 a7eef0dd7b38e3a704b49d57d9cae953  2007.0/i586/MySQL-ndb-extra-5.0.24a-2.1mdv2007.0.i586.rpm
 1165add80c08fdbe13c9d0906340a998  2007.0/i586/MySQL-ndb-management-5.0.24a-2.1mdv2007.0.i586.rpm
 1dab5164b03c4689a9289e5b8e4c1b83  2007.0/i586/MySQL-ndb-storage-5.0.24a-2.1mdv2007.0.i586.rpm
 cfc946c33e31cad4eb3d2cee60101af8  2007.0/i586/MySQL-ndb-tools-5.0.24a-2.1mdv2007.0.i586.rpm
 25fa8c6756256c4dd67ece5a36651394  2007.0/i586/libmysql15-5.0.24a-2.1mdv2007.0.i586.rpm
 a36d220223051510d41b4f9a4505cc21  2007.0/i586/libmysql15-devel-5.0.24a-2.1mdv2007.0.i586.rpm
 6257cf37dd793e4e28079e24d85371cf  2007.0/i586/libmysql15-static-devel-5.0.24a-2.1mdv2007.0.i586.rpm 
 61fd5383c89b7599741d3627c6a568f2  2007.0/SRPMS/MySQL-5.0.24a-2.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 3cc829514ba910e9d3118874a3390e51  2007.0/x86_64/MySQL-5.0.24a-2.1mdv2007.0.x86_64.rpm
 6f84bac1c088b0ef773dcdc051de08e5  2007.0/x86_64/MySQL-Max-5.0.24a-2.1mdv2007.0.x86_64.rpm
 84e4c7c9cbd439444bfb3353994e8d23  2007.0/x86_64/MySQL-bench-5.0.24a-2.1mdv2007.0.x86_64.rpm
 96ac718984a765f95002a0ee934e93cd  2007.0/x86_64/MySQL-client-5.0.24a-2.1mdv2007.0.x86_64.rpm
 1bed2bc4d5c4f5700b13495d8bb6f3c4  2007.0/x86_64/MySQL-common-5.0.24a-2.1mdv2007.0.x86_64.rpm
 55ea8d680cfdeaf48eeacf3aa789ab19  2007.0/x86_64/MySQL-ndb-extra-5.0.24a-2.1mdv2007.0.x86_64.rpm
 4047515dedd71ffe9c6fd4268e25f115  2007.0/x86_64/MySQL-ndb-management-5.0.24a-2.1mdv2007.0.x86_64.rpm
 05c75e22bf10cff94581eaa3096c2e47  2007.0/x86_64/MySQL-ndb-storage-5.0.24a-2.1mdv2007.0.x86_64.rpm
 c105dd5a6a0c96ad00795183ed9f6ae8  2007.0/x86_64/MySQL-ndb-tools-5.0.24a-2.1mdv2007.0.x86_64.rpm
 41c0722f531c0af55c3b2d621c29f009  2007.0/x86_64/lib64mysql15-5.0.24a-2.1mdv2007.0.x86_64.rpm
 58801989259c4983f0201bab1bdb4d0e  2007.0/x86_64/lib64mysql15-devel-5.0.24a-2.1mdv2007.0.x86_64.rpm
 dc9cbf9b7edc50053dbad01c988667c1  2007.0/x86_64/lib64mysql15-static-devel-5.0.24a-2.1mdv2007.0.x86_64.rpm 
 61fd5383c89b7599741d3627c6a568f2  2007.0/SRPMS/MySQL-5.0.24a-2.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 96494772204a2bbf2be3832500782456  2007.1/i586/MySQL-5.0.37-2.1mdv2007.1.i586.rpm
 4c0fdbce214a1b313d5157a1b455c2f4  2007.1/i586/MySQL-Max-5.0.37-2.1mdv2007.1.i586.rpm
 8b068d834518bdb3dc1f5f92bb496b8b  2007.1/i586/MySQL-bench-5.0.37-2.1mdv2007.1.i586.rpm
 654367537e3d73b9913e7f49e9e368cc  2007.1/i586/MySQL-client-5.0.37-2.1mdv2007.1.i586.rpm
 eb29ca9f2ba5bcddd89dfba36b33b608  2007.1/i586/MySQL-common-5.0.37-2.1mdv2007.1.i586.rpm
 c5d4e06f21fbc62ef670b708125ff156  2007.1/i586/MySQL-ndb-extra-5.0.37-2.1mdv2007.1.i586.rpm
 0f38ad5a905ee7b11a793fd8f96ebf72  2007.1/i586/MySQL-ndb-management-5.0.37-2.1mdv2007.1.i586.rpm
 4e4c72d48124ddffe141caffa291eb7e  2007.1/i586/MySQL-ndb-storage-5.0.37-2.1mdv2007.1.i586.rpm
 598327f4a6954b7d66ae670150423d10  2007.1/i586/MySQL-ndb-tools-5.0.37-2.1mdv2007.1.i586.rpm
 0b3bb96443df3752707f4f350aa82795  2007.1/i586/libmysql15-5.0.37-2.1mdv2007.1.i586.rpm
 4a04bedbd2ee2645c884e2b43bfb8148  2007.1/i586/libmysql15-devel-5.0.37-2.1mdv2007.1.i586.rpm
 93e902375f1fe1e6748c6770aa727cfb  2007.1/i586/libmysql15-static-devel-5.0.37-2.1mdv2007.1.i586.rpm 
 20002982712cf20e3b568952153bf934  2007.1/SRPMS/MySQL-5.0.37-2.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 ce3cf3bd485bc610d6206b8e9c485bec  2007.1/x86_64/MySQL-5.0.37-2.1mdv2007.1.x86_64.rpm
 cd61f695c1b2bb7936f6e7c6f9852a03  2007.1/x86_64/MySQL-Max-5.0.37-2.1mdv2007.1.x86_64.rpm
 130ab74a2ecb353740fa3ce72de0d2e1  2007.1/x86_64/MySQL-bench-5.0.37-2.1mdv2007.1.x86_64.rpm
 d19473f9ef587d648ba9eb9432cabb96  2007.1/x86_64/MySQL-client-5.0.37-2.1mdv2007.1.x86_64.rpm
 9a7242331c11e17774778e25cc070bfb  2007.1/x86_64/MySQL-common-5.0.37-2.1mdv2007.1.x86_64.rpm
 af8a57d23ba18c6d26d6c8e86c78ecd5  2007.1/x86_64/MySQL-ndb-extra-5.0.37-2.1mdv2007.1.x86_64.rpm
 a485fdba11c17a31736304ec4c350219  2007.1/x86_64/MySQL-ndb-management-5.0.37-2.1mdv2007.1.x86_64.rpm
 71740a48d949c431ab93147ae9a1f016  2007.1/x86_64/MySQL-ndb-storage-5.0.37-2.1mdv2007.1.x86_64.rpm
 c75e0882938222abed05802d776d705b  2007.1/x86_64/MySQL-ndb-tools-5.0.37-2.1mdv2007.1.x86_64.rpm
 3cc3e00778849eb1441d7d1b8ffb9c77  2007.1/x86_64/lib64mysql15-5.0.37-2.1mdv2007.1.x86_64.rpm
 34f0aab6fbf146fa753b6e74d018b9b4  2007.1/x86_64/lib64mysql15-devel-5.0.37-2.1mdv2007.1.x86_64.rpm
 e578aa3c0533512d3172a8783951a78b  2007.1/x86_64/lib64mysql15-static-devel-5.0.37-2.1mdv2007.1.x86_64.rpm 
 20002982712cf20e3b568952153bf934  2007.1/SRPMS/MySQL-5.0.37-2.1mdv2007.1.src.rpm

 Corporate 4.0:
 6dd1e46117228da990577dcc61c62924  corporate/4.0/i586/MySQL-5.0.24-1.1.20060mlcs4.i586.rpm
 056f42ca5a679334f5b10fee2ac7c3ff  corporate/4.0/i586/MySQL-Max-5.0.24-1.1.20060mlcs4.i586.rpm
 8ef459e29a6e0b6efc41ce10865b05c7  corporate/4.0/i586/MySQL-bench-5.0.24-1.1.20060mlcs4.i586.rpm
 7d3b7b1714983c1d2eafdf8cc7bc4575  corporate/4.0/i586/MySQL-client-5.0.24-1.1.20060mlcs4.i586.rpm
 0f011f86f0cd69f8298d68e711194396  corporate/4.0/i586/MySQL-common-5.0.24-1.1.20060mlcs4.i586.rpm
 7863f10c35563f5ae5ab69d4c6991932  corporate/4.0/i586/MySQL-ndb-extra-5.0.24-1.1.20060mlcs4.i586.rpm
 a09a90a1f7f30a7d4656f5315f3f91ea  corporate/4.0/i586/MySQL-ndb-management-5.0.24-1.1.20060mlcs4.i586.rpm
 4daff89ac6a7eefa3959a3a3f4bbfa52  corporate/4.0/i586/MySQL-ndb-storage-5.0.24-1.1.20060mlcs4.i586.rpm
 b1eda7ba40300324970df9167782c33b  corporate/4.0/i586/MySQL-ndb-tools-5.0.24-1.1.20060mlcs4.i586.rpm
 56444ba86d330cd75ebb83f2aab6aaa8  corporate/4.0/i586/libmysql15-5.0.24-1.1.20060mlcs4.i586.rpm
 8b567ebda8df1f0712ee98fdace57817  corporate/4.0/i586/libmysql15-devel-5.0.24-1.1.20060mlcs4.i586.rpm
 423a28d42aec3612823398b88d6ab0ce  corporate/4.0/i586/libmysql15-static-devel-5.0.24-1.1.20060mlcs4.i586.rpm 
 4151b2b3b22cd4b8c1dc031fb3430d78  corporate/4.0/SRPMS/MySQL-5.0.24-1.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 b89177a384077e76ef9df8d021c74a66  corporate/4.0/x86_64/MySQL-5.0.24-1.1.20060mlcs4.x86_64.rpm
 3c7b768ba6f05ea036d940cc58c6500a  corporate/4.0/x86_64/MySQL-Max-5.0.24-1.1.20060mlcs4.x86_64.rpm
 95da2d0ea66c4de6dadbd89324197a27  corporate/4.0/x86_64/MySQL-bench-5.0.24-1.1.20060mlcs4.x86_64.rpm
 a5c454af184c33ce1e8d555ace6c8931  corporate/4.0/x86_64/MySQL-client-5.0.24-1.1.20060mlcs4.x86_64.rpm
 34f0b93bc7b48c1f8fa04a74550036c3  corporate/4.0/x86_64/MySQL-common-5.0.24-1.1.20060mlcs4.x86_64.rpm
 9882f3066be03c78f7dd7bbe1bf0c555  corporate/4.0/x86_64/MySQL-ndb-extra-5.0.24-1.1.20060mlcs4.x86_64.rpm
 9c61cca4d73f8f0baf55987f538d6872  corporate/4.0/x86_64/MySQL-ndb-management-5.0.24-1.1.20060mlcs4.x86_64.rpm
 2d155a51c2c9ecd4ad645dcfe314280c  corporate/4.0/x86_64/MySQL-ndb-storage-5.0.24-1.1.20060mlcs4.x86_64.rpm
 eda3a5e7040258ff6005323db42d4b7e  corporate/4.0/x86_64/MySQL-ndb-tools-5.0.24-1.1.20060mlcs4.x86_64.rpm
 cf8f3a2b20f73a918afcc2c3e73ac57a  corporate/4.0/x86_64/lib64mysql15-5.0.24-1.1.20060mlcs4.x86_64.rpm
 87246d9937ee81c09d53243c35aff3cc  corporate/4.0/x86_64/lib64mysql15-devel-5.0.24-1.1.20060mlcs4.x86_64.rpm
 325018d3076aebc0ca825c20b7065909  corporate/4.0/x86_64/lib64mysql15-static-devel-5.0.24-1.1.20060mlcs4.x86_64.rpm 
 4151b2b3b22cd4b8c1dc031fb3430d78  corporate/4.0/SRPMS/MySQL-5.0.24-1.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGi/ojmqjQ0CJFipgRAj4NAKCMFSHT8PkOglo8P86m1XiXTwUasQCfWnjl
9JQL+8BVj6JxMqm+UCYacFs=
=SIi1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ