GLSA: mysql (200309-08)

From: Daniel Ahlberg (aliz_at_gentoo.org)
Date: 09/15/03

Next message: security_at_sco.com: "OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges."

Previous message: d4rkgr3y: "ChatZilla <=v0.8.23 remote DoS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: gentoo-announce@gentoo.org, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
Date: Mon, 15 Sep 2003 12:01:00 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-08
- - - ---------------------------------------------------------------------

PACKAGE : mysql
SUMMARY : buffer overflow
DATE : 2003-09-15 10:00 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <mysql-3.23.57-r1 <mysql-4.0.13-r4 >=mysql-4.0.14-r2(masked)
FIXED VERSION : >=mysql-3.23.57-r1 >=mysql-4.0.13-r4 >=mysql-4.0.14-r2(masked)
CVE : CAN-2003-0780

- - - ---------------------------------------------------------------------

quote from advisory:

"Anyone with global administrative privileges on a MySQL server may
execute arbitrary code even on a host he isn't supposed to have a shell
on, with the privileges of the system account running the MySQL server."

read the full advisory at:
http://www.securityfocus.com/archive/1/337012

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-db/mysql upgrade to either one of these versions:

3.23.x - mysql-3.23.57-r1
4.0.x - mysql-4.0.13-r4 OR
mysql-4.0.14-r2 if accepting "~" keywords.

emerge sync
emerge \=dev-db/mysql/<mysql version>
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz
solar@gentoo.org
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/ZY3cfT7nyhUpoZMRAjpJAJ0ZTUg/pJxdsWeIpxTJX/cDMatkEQCeKmFU
GGrAKtwqtPNuiguwyhelHys=
=uFLV
-----END PGP SIGNATURE-----

Next message: security_at_sco.com: "OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges."

Previous message: d4rkgr3y: "ChatZilla <=v0.8.23 remote DoS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] GLSA: mysql (200309-08)
... "Anyone with global administrative privileges on a MySQL server may ... read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ...
(Full-Disclosure)
[Full-Disclosure] GLSA: mysql (200309-08)
... "Anyone with global administrative privileges on a MySQL server may ... read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ...
(Full-Disclosure)
[Full-Disclosure] GLSA: mysql (200309-08)
... "Anyone with global administrative privileges on a MySQL server may ... read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ...
(Full-Disclosure)
GLSA: mysql (200309-08)
... "Anyone with global administrative privileges on a MySQL server may ... read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ...
(Full-Disclosure)
GLSA: mysql (200309-08)
... "Anyone with global administrative privileges on a MySQL server may ... read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ...
(Full-Disclosure)