[Full-disclosure] UnixWare 7.1.4 : MySQL updated MySQL (version 4.1.11) fixes security issues

please_reply_to_security_at_sco.com
Date: 06/08/05

  • Next message: please_reply_to_security_at_sco.com: "[Full-disclosure] UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : wu-ftp denial of service"
    To: security-announce@list.sco.com, bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    Date: Tue, 7 Jun 2005 17:21:29 -0700
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: UnixWare 7.1.4 : MySQL updated MySQL (version 4.1.11) fixes security issues
    Advisory number: SCOSA-2005.27
    Issue date: 2005 June 06
    Cross reference: sr893337 fz531603 erg712817 CAN-2004-0957
    ______________________________________________________________________________

    1. Problem Description

            MySQL 3.23.58 and earlier, when a local user has privileges
            for a database whose name includes a "_" (underscore),
            grants privileges to other databases that have similar
            names, which can allow the user to conduct unauthorized
            activities.

            Please note the abbreviated name of the package has been
            changed from "mysql" to "MySQL".

            Please see the MySQL site for the complete list of changes at:
            http://dev.mysql.com/doc/mysql/en/news-4-1-11.html
            
            The Common Vulnerabilities and Exposures project (cve.mitre.org)
            has assigned the following name CAN-2004-0957 to this issue.

    2. Vulnerable Supported Versions

            System Binaries
            ----------------------------------------------------------------------
            UnixWare 7.1.4 distribution

    3. Solution

            The proper solution is to install the latest packages.

    4. UnixWare 7.1.4

            4.1 Location of Fixed Binaries

            ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.27

            4.2 Verification

            MD5 (MySQL-4.1.11.pkg) = 20d18d0cd571f412b211225e5088e3a2

            md5 is available for download from
                    ftp://ftp.sco.com/pub/security/tools

            4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following sequence:

            Download MySQL-4.1.11.pkg to the /var/spool/pkg directory

            # pkgadd -d /var/spool/pkg/MySQL-4.1.11.pkg

    5. References

            Specific references for this advisory:
                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            SCO security advisories via email
                    http://www.sco.com/support/forums/security.html

            This security fix closes SCO incidents sr893337 fz531603
            erg712817.

    6. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers
            intended to promote secure installation and use of SCO
            products.

    7. Acknowledgments

            This vulnerability was reported to the vendor by Sergei
            Golubchik.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (SCO/SYSV)

    iD8DBQFCpOPFaqoBO7ipriERAtZ0AKCL3SviPdj0dPsxIb+Mf+LVFC8zLwCfYVzP
    1ObL4/3vIrsBk36NVESIzaA=
    =B3kQ
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: please_reply_to_security_at_sco.com: "[Full-disclosure] UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : wu-ftp denial of service"

    Relevant Pages