Root exploit in MySQL 3.23 < .56?
From: Steve Linberg (slinberg_at_crocker.com)
Date: Tue, 06 May 2003 00:36:36 GMT
Just got a message from the Red Hat update thingy saying a remote root
exploit has been found for MySQL 3.23, all versions below the most
I'm rebuilding on several servers right now, but I'm a little surprised
that this doesn't seem to be under discussion in the usual places you'd
expect to see references to a problem as widespread and presumably
dangerous as this one. A LOT of people use MySQL 3.23.x and everybody
is supposed to upgrade, apparently.
The only information out there that I can find is thin so far:
Anybody have more? Am I misunderstanding this?
Text of the Red Hat message follows:
Red Hat Network has determined that the following advisory is applicable
one or more of the systems you have registered:
Complete information about this errata can be found at the following
Security Advisory - RHSA-2003:093-14
Updated MySQL packages fix vulnerabilities
Updated MySQL server packages fix both a double-free security
vulnerability and a root exploit security vulnerability.
[Updated 1 May 2003]
Added updated packages for Red Hat Linux 9, which is vulnerable to
MySQL is a multi-user, multi-threaded SQL database server.
A double-free vulnerability in mysqld, for MySQL before version 3.23.55,
allows attackers with MySQL access to cause a denial of service (crash)
creating a carefully crafted client application. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
CAN-2003-0073 to this issue.
MySQL 3.23.55 and earlier creates world-writable files and allows mysql
users to gain root privileges by using the "SELECT * INFO OUTFILE"
to overwrite a configuration file and cause mysql to run as root upon
restart. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0150 to this issue.
All users are advised to upgrade to MySQL 3.23.56 contained within this
errata which is not vulnerable to these issues.
In addition to the security fixes, these erratum packages contain a
thread safe client library (libmysqlclient_r).