SciLinux: CVE-2008-4098 Moderate: mysql SL4.x i386/x86_64
Summary
CVE-2008-4456 mysql: mysql command line client XSS flawCVE-2009-2446 MySQL: Format string vulnerability by manipulation withdatabase instances (crash)CVE-2009-4030 mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098Multiple flaws were discovered in the way MySQL handled symbolic linksto tables created using the DATA DIRECTORY and INDEX DIRECTORYdirectives in CREATE TABLE statements. An attacker with CREATE and DROPtable privileges and shell access to the database server could use theseflaws to escalate their database privileges, or gain access to tablescreated by other database users. (CVE-2008-4098, CVE-2009-4030)Note: Due to the security risks and previous security issues related tothe use of the DATA DIRECTORY and INDEX DIRECTORY directives, users notdepending on this feature should consider disabling it by adding"symbolic-links=0" to the "[mysqld]" section of the "my.cnf"configuration file. In this update, an example of such a configurationwas added to the default "my.cnf" file.An insufficient HTML entities quoting flaw was found in the mysqlcommand line client's HTML output mode. If an attacker was able toinject arbitrary HTML tags into data stored in a MySQL database, whichwas later retrieved using the mysql command line client and its HTMLoutput mode, they could perform a cross-site scripting (XSS) attackagainst victims viewing the HTML output in a web browser. (CVE-2008-4456)Multiple format string flaws were found in the way the MySQL serverlogged user commands when creating and deleting databases. A remote,authenticated attacker with permissions to CREATE and DROP databasescould use these flaws to formulate a specially-crafted SQL command thatwould cause a temporary denial of service (open connections to mysqldare terminated). (CVE-2009-2446)Note: To exploit the CVE-2009-2446 flaws, the general query log (thebe enabled. This logging is not enabled by default.After installing this update, the MySQL server daemon (mysqld) will berestarted automatically.