Debian: mysql privilege escalation vulnerability

    Date16 May 2003
    CategoryDebian
    3022
    Posted ByLinuxSecurity Advisories
    There are multiple vulnerabilities in the mysql package.
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 303-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Matt Zimmerman
    May 15th, 2003                            http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : mysql
    Vulnerability  : privilege escalation
    Problem-Type   : remote
    Debian-specific: no
    CVE Ids        : CAN-2003-0073, CAN-2003-0150
    
    CAN-2003-0073: The mysql package contains a bug whereby dynamically
    allocated memory is freed more than once, which could be deliberately
    triggered by an attacker to cause a crash, resulting in a denial of
    service condition.  In order to exploit this vulnerability, a valid
    username and password combination for access to the MySQL server is
    required.
    
    CAN-2003-0150: The mysql package contains a bug whereby a malicious
    user, granted certain permissions within mysql, could create a
    configuration file which would cause the mysql server to run as root,
    or any other user, rather than the mysql user.
    
    For the stable distribution (woody) both problems have been fixed in
    version 3.23.49-8.4.
    
    The old stable distribution (potato) is only affected by
    CAN-2003-0150, and this has been fixed in version 3.22.32-6.4.
    
    For the unstable distribution (sid), CAN-2003-0073 was fixed in
    version 4.0.12-2, and CAN-2003-0150 will be fixed soon.
    
    We recommend that you update your mysql package.
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.dsc
          Size/MD5 checksum:      886 dffa9151341b51795caf44697143f6f9
         http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
          Size/MD5 checksum:    72122 be4d9a71e6640fd40e9b316841b7ae0e
         http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
          Size/MD5 checksum: 11861035 a2820d81997779a9fdf1f4b3c321564a
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.4_all.deb
          Size/MD5 checksum:    16616 a6d308e2d03cd3be901239baa1be388a
         http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
          Size/MD5 checksum:  1962846 b538ea9589ac54c302651534e2bc4e8b
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_alpha.deb
          Size/MD5 checksum:   277416 a17fcb026291699dcb1b051314a71d90
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
          Size/MD5 checksum:   778474 01b0948dd0cf0877f53f095121186657
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_alpha.deb
          Size/MD5 checksum:   163216 e6be327a08bc72fb8db433a0af9b41d0
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_alpha.deb
          Size/MD5 checksum:  3633954 64c12c4a3b69bdf148357a0a1a479469
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_arm.deb
          Size/MD5 checksum:   238046 774b001079f95c35ea88be11d67e775d
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
          Size/MD5 checksum:   634284 eb4db3ae1eb54cf11f7382b4b0727b9f
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_arm.deb
          Size/MD5 checksum:   123630 5608edfbdc9775e88ce437cb870d1750
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_arm.deb
          Size/MD5 checksum:  2805654 b4710dec86a805034625d7b9856a7d12
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_i386.deb
          Size/MD5 checksum:   234398 cdcdf5dc35e34c48b01f45b176acba9f
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
          Size/MD5 checksum:   576406 dbe76a3e83bab136bffadfe1c8dc468c
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_i386.deb
          Size/MD5 checksum:   122240 7811d04423a4a1c17c22c44fb0a38dc1
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_i386.deb
          Size/MD5 checksum:  2800476 aac5248b0e5a608828b192ab7cc0ba4b
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_ia64.deb
          Size/MD5 checksum:   314754 61514f1241d050604b2e8e52252877bb
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
          Size/MD5 checksum:   848292 39854d7460d71196b1815c6b59b78097
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_ia64.deb
          Size/MD5 checksum:   173492 82306dd70c0f55e17d987430a4495df9
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_ia64.deb
          Size/MD5 checksum:  3999800 e6f67c4a1e81665b7bc221a734e6d0b1
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_hppa.deb
          Size/MD5 checksum:   280316 9acbce0515b8e030cc821cf42c1f6300
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
          Size/MD5 checksum:   743428 227ef882e4e2d2c78cfb6d4c42a058c1
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_hppa.deb
          Size/MD5 checksum:   140298 a507d10215eec27be17d3fbcf3ac2b7c
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_hppa.deb
          Size/MD5 checksum:  3514686 930fce4f4e0d9e4b02f917d13f88c9fd
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_m68k.deb
          Size/MD5 checksum:   227382 85d26489d8164b57ed0f929a0b82266d
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
          Size/MD5 checksum:   557500 a1ea17a4e9559e3fa74ab65a0f1dc6ff
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_m68k.deb
          Size/MD5 checksum:   118080 2fab9a645752c4edc0d2571d8df4625a
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_m68k.deb
          Size/MD5 checksum:  2646470 9e1e657b5b48e3b311d024fc4a3e02d8
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mips.deb
          Size/MD5 checksum:   250634 24efc32271417f6c1088d24f9112292d
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
          Size/MD5 checksum:   688722 abbd8a36aae20a0fe554496bd165dc90
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mips.deb
          Size/MD5 checksum:   133584 afe4c3375f839d9362de4109c87e514e
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mips.deb
          Size/MD5 checksum:  2847586 2c46dff082360688ed0c26bb62195c4f
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mipsel.deb
          Size/MD5 checksum:   250292 e6bd9229aff722e43b028e38f235025f
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
          Size/MD5 checksum:   688078 50454d0fe3448e7d71ddb2c63daa138c
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mipsel.deb
          Size/MD5 checksum:   133922 63ae0463860094468b82cab6885b6931
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mipsel.deb
          Size/MD5 checksum:  2838896 38e2c2bf2a9b364080ecb05bd1e82b37
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_powerpc.deb
          Size/MD5 checksum:   247404 f7c7a7255225b9bd4cc26a3f48645f88
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
          Size/MD5 checksum:   652344 9a0b47815e4915756f3beb585bd35a41
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_powerpc.deb
          Size/MD5 checksum:   129128 57fe23b4059856302de47ff02a61f9ff
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_powerpc.deb
          Size/MD5 checksum:  2822666 65117c17745024c0cb0bc07af8fdc181
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_s390.deb
          Size/MD5 checksum:   249708 e6caf6fd3796cf782502865d419341d8
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
          Size/MD5 checksum:   606782 2d6463b698fc62488e9ee87ad8b89a90
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_s390.deb
          Size/MD5 checksum:   126108 e2751df859c6c8cf7ebf5e1a3e2398bb
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_s390.deb
          Size/MD5 checksum:  2690902 c2d61b902ff6b3ed500b431285b445c1
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_sparc.deb
          Size/MD5 checksum:   240924 3c295207bcf57d2516401356d80d1450
         http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
          Size/MD5 checksum:   615466 fe90d0ff7b9fdf7311b6b219c9db1b7a
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_sparc.deb
          Size/MD5 checksum:   130078 fc0ffc9023dfd3fae659a077afd975df
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_sparc.deb
          Size/MD5 checksum:  2939004 04e7c934a860c8e616cb205e23abba6c
    
    Debian GNU/Linux 2.2 alias potato
    - ---------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.dsc
          Size/MD5 checksum:      674 0068fe98d371be47dad2bae31a1b8f2a
         http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
          Size/MD5 checksum:    84753 f430cddd4b42e2346009de6c36ae4b0d
         http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
          Size/MD5 checksum:  4296259 e3d9cb3038a2e4378c9c0f4f9d8c2d58
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.4_all.deb
          Size/MD5 checksum:  1687148 9a6807eae4a6a36e80ffe1090e0ca8d9
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_alpha.deb
          Size/MD5 checksum:    99636 666fc3f3ba5ce09aac3af8739cc71d13
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
          Size/MD5 checksum:   790956 f9ba2a3053508973163a6dc8152fce52
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_arm.deb
          Size/MD5 checksum:    87380 c70f21c3a2a86d7ae659fb21e46fe1ae
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
          Size/MD5 checksum:   603944 fc8c733a5966c7d48d3549939290a6be
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_i386.deb
          Size/MD5 checksum:    87020 416c768401102a0990b695bc2934e0c8
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
          Size/MD5 checksum:   584930 1f7e3af12a75b01e46a192f4e6669f41
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_m68k.deb
          Size/MD5 checksum:    84676 03508436943ae58f8df135c36cd80ef7
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
          Size/MD5 checksum:   555302 a0a646d2cbe628ccfae5b424f7508ba5
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_powerpc.deb
          Size/MD5 checksum:    87692 b4a178029aec19d04150ce9cd5e075d8
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
          Size/MD5 checksum:   632870 ead6825efc5572640b96b4bdf94d77f1
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_sparc.deb
          Size/MD5 checksum:    94344 982ba0aa36d6ef03647aee8bf57c01df
         http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
          Size/MD5 checksum:   612336 64957610af9008565d09016c426deca0
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":53.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":15.38,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":30.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.