Debian: New mysql-dfsg-4.1 package fixes arbitrary code execution

    Date04 Oct 2005
    CategoryDebian
    6331
    Posted ByJoe Shakespeare
    Updated package.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 833-2                     This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                             Martin Schulze
    October 4th, 2005                       http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : mysql-dfsg-4.1
    Vulnerability  : buffer overflow
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CAN-2005-2558
    BugTraq ID     : 14509
    
    A stack-based buffer overflow in the init_syms function of MySQL, a
    popular database, has been discovered that allows remote authenticated
    users who can create user-defined functions to execute arbitrary code
    via a long function_name field.  The ability to create user-defined
    functions is not typically granted to untrusted users.
    
    The following vulnerability matrix explains which version of MySQL in
    which distribution has this problem fixed:
    
                         woody              sarge              sid
    mysql             3.23.49-8.14           n/a               n/a
    mysql-dfsg            n/a          4.0.24-10sarge1    4.0.24-10sarge1
    mysql-dfsg-4.1        n/a          4.1.11a-4sarge2        4.1.14-2
    mysql-dfsg-5.0        n/a                n/a            5.0.11beta-3
    
    This update only covers binary packages for the big endian MIPS
    architecture that was mysteriously forgotton in the earlier update.
    
    We recommend that you upgrade your mysql-dfsg-4.1 packages.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------
    
      Source archives:
    
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge2.dsc
          Size/MD5 checksum:     1021 ef5b7f754fd69c6ddf96185a9ea99d8c
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge2.diff.gz
          Size/MD5 checksum:   163217 c22faa82cad1a38568146d03a316b4c3
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
          Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3
    
      Architecture independent components:
    
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge2_all.deb
          Size/MD5 checksum:    35758 f4c17c57aaed4aba0d06b22391a443ff
    
      Big endian MIPS architecture:
    
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_mips.deb
          Size/MD5 checksum:  1477872 22fec72fd66a24a4f0d908dcaa23e64f
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_mips.deb
          Size/MD5 checksum:  6051732 6eb05337947f14fc0db2989a64db67d5
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_mips.deb
          Size/MD5 checksum:   903670 38af0c111d89ed2455f418da9aafdb56
        http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_mips.deb
          Size/MD5 checksum: 15407526 d728af32519bf4ca50b96dd37998631d
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.