Re: [FLSA-2005:2129] Updated mysql packages fix security issues

From: Ventsislav Genchev (vigour_at_atlantis.bg)
Date: 03/25/05

  • Next message: Thierry Carrez: "[ GLSA 200503-30 ] Mozilla Suite: Multiple vulnerabilities" 
    Date: Fri, 25 Mar 2005 13:39:48 +0200
To: fedora-legacy-announce@redhat.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ops... my mistake... sry guys... everythink is ok... i just used md5sum
    instead of sha1sum ... sry again..

    fedora-legacy-announce@redhat.com wrote:
    > ---------------------------------------------------------------------
    > Fedora Legacy Update Advisory
    >
    > Synopsis: Updated mysql packages fix security issues
    > Advisory ID: FLSA:2129
    > Issue date: 2005-03-24
    > Product: Red Hat Linux, Fedora Core
    > Keywords: Bugfix
    > Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2129
    > CVE Names: CAN-2004-0381 CAN-2004-0388 CAN-2004-0457
    > CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
    > CAN-2004-0957 CAN-2005-0004
    > ---------------------------------------------------------------------
    >
    >
    > ---------------------------------------------------------------------
    > 1. Topic:
    >
    > Updated mysql packages that fix various security issues are now
    > available.
    >
    > MySQL is a multi-user, multi-threaded SQL database server.
    >
    > 2. Relevant releases/architectures:
    >
    > Red Hat Linux 7.3 - i386
    > Red Hat Linux 9 - i386
    > Fedora Core 1 - i386
    >
    > 3. Problem description:
    >
    > This update fixes a number of potential security problems associated
    > with careless handling of temporary files. The Common Vulnerabilities
    > and Exposures project (cve.mitre.org) has assigned the names
    > CAN-2004-0381, CAN-2004-0388, CAN-2004-0457, and CAN-2005-0004 to these
    > issues.
    >
    > Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked
    > the CREATE/INSERT rights of the old table instead of the new one. The
    > Common Vulnerabilities and Exposures project (cve.mitre.org) has
    > assigned the name CAN-2004-0835 to this issue.
    >
    > Lukasz Wojtow discovered a buffer overrun in the mysql_real_connect
    > function. In order to exploit this issue an attacker would need to force
    > the use of a malicious DNS server (CAN-2004-0836).
    >
    > Dean Ellis discovered that multiple threads ALTERing the same (or
    > different) MERGE tables to change the UNION could cause the server to
    > crash or stall (CAN-2004-0837).
    >
    > Sergei Golubchik discovered that if a user is granted privileges to a
    > database with a name containing an underscore ("_"), the user also gains
    > the ability to grant privileges to other databases with similar names
    > (CAN-2004-0957).
    >
    > All users of mysql should upgrade to these updated packages, which
    > resolve these issues.
    >
    > 4. Solution:
    >
    > Before applying this update, make sure all previously released errata
    > relevant to your system have been applied.
    >
    > To update all RPMs for your particular architecture, run:
    >
    > rpm -Fvh [filenames]
    >
    > where [filenames] is a list of the RPMs you wish to upgrade. Only those
    > RPMs which are currently installed will be updated. Those RPMs which
    > are not installed but included in the list will not be updated. Note
    > that you can also use wildcards (*.rpm) if your current directory *only*
    > contains the desired RPMs.
    >
    > Please note that this update is also available via yum and apt. Many
    > people find this an easier way to apply updates. To use yum issue:
    >
    > yum update
    >
    > or to use apt:
    >
    > apt-get update; apt-get upgrade
    >
    > This will start an interactive process that will result in the
    > appropriate RPMs being upgraded on your system. This assumes that you
    > have yum or apt-get configured for obtaining Fedora Legacy content.
    > Please visit http://www.fedoralegacy.org/docs for directions on how to
    > configure yum and apt-get.
    >
    > 5. Bug IDs fixed:
    >
    > http://bugzilla.fedora.us - bug #2129 - MySQL Remote Buffer Overflow
    >
    > 6. RPMs required:
    >
    > Red Hat Linux 7.3:
    >
    > SRPM:
    > http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
    >
    >
    > i386:
    > http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
    >
    > http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
    >
    > http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
    >
    >
    > Red Hat Linux 9:
    >
    > SRPM:
    > http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
    >
    >
    > i386:
    > http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
    >
    > http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
    >
    > http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
    >
    >
    > Fedora Core 1:
    >
    > SRPM:
    > http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
    >
    >
    > i386:
    > http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
    >
    > http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
    >
    > http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
    >
    > http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
    >
    >
    > 7. Verification:
    >
    > SHA1 sum Package Name
    > ---------------------------------------------------------------------
    >
    > 04ef0f04b389f7f9fc5bb46f35f81e8503a463ba
    > redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
    > 879f133178898835609ec305988b473e7221f825
    > redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
    > 9258ee1dd63f878c376a4e8a4f28e6dc8be11600
    > redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
    > f8dfbc8e8992bb56c1f8ba9f6917ab0fb11d0e80
    > redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
    > 246af76de738268375fee9c066efdabdc5a01f73
    > redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
    > 22b584c92e81cd29086fa2335910ba5b67d22711
    > redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
    > 4fe21cae92371b5a3ed79858ec5432807bf2cee4
    > redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
    > 106480fe6f5d56513a4fd77592d5a8e88a9c4825
    > redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
    > 509f1caeef89bb626334be27e13c4269cc00ca75
    > fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
    > 7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec
    > fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
    > 08c25d36193f30dceb4d3f81fbdd69f713fd94b7
    > fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
    > 8fa58175f2d1baf7d45e8c19939928d3faa113ba
    > fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
    > 291ec6bb776126c3726dc7dfc067afad520300af
    > fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
    >
    > These packages are GPG signed by Fedora Legacy for security. Our key is
    > available from http://www.fedoralegacy.org/about/security.php
    >
    > You can verify each package with the following command:
    >
    > rpm --checksig -v <filename>
    >
    > If you only wish to verify that each package has not been corrupted or
    > tampered with, examine only the sha1sum with the following command:
    >
    > sha1sum <filename>
    >
    > 8. References:
    >
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0457
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957
    > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
    >
    > 9. Contact:
    >
    > The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
    > project details at http://www.fedoralegacy.org
    >
    > ---------------------------------------------------------------------
    >
    >
    > ------------------------------------------------------------------------
    >
    > --
    > Fedora-legacy-announce mailing list
    > Fedora-legacy-announce@redhat.com
    > http://www.redhat.com/mailman/listinfo/fedora-legacy-announce

    - --
    Ventsislav Genchev
    Atlantis BG, Ltd.
    E-mail: vigour@atlantis.bg
    phone: +35928757001

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (GNU/Linux)
    Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

    iD8DBQFCQ/iDwxiN6NaquRwRAteoAKDAlPjrO5S414H09DXt+fI29XIQyQCgpAFq
    3EfN2EYu9TQgc3dS8aiU3PM=
    =HEwD
    -----END PGP SIGNATURE-----

  • Next message: Thierry Carrez: "[ GLSA 200503-30 ] Mozilla Suite: Multiple vulnerabilities"

    Relevant Pages