Säkerhetsbulletin från Debian

DSA-1079-1 mysql-dfsg -- flera sårbarheter

Rapporterat den:
2006-05-29
Berörda paket:
mysql-dfsg
Sårbara:
Ja
Referenser i säkerhetsdatabaser:
I Debians felrapporteringssystem: Fel 366044, Fel 366049, Fel 366163.
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 16850, BugTraq-id 17780.
I Mitres CVE-förteckning: CVE-2006-0903, CVE-2006-1516, CVE-2006-1517, CVE-2006-1518.
CERTs information om sårbarheter, bulletiner och incidenter: VU#602457.
Ytterligare information:

Flera sårbarheter har upptäckts i MySQL, en populär SQL-databas. Projektet Common Vulnerabilities and Exposures identifierar följande problem:

  • CVE-2006-0903

    Felaktig hantering av SQL-frågor som innehåller NULL-tecken gjorde det möjligt för lokala användare att förbigå loggningsmekanismer.

  • CVE-2006-1516

    Användarnamn utan avslutande null-byte gjorde det möjligt för angripare utifrån att läsa delar av minnet.

  • CVE-2006-1517

    En fråga med en felaktig paketlängd gjorde det möjligt för angripare utifrån att få tag på känslig information.

  • CVE-2006-1518

    Specialskrivna frågepaket med felaktiga längdvärden gjorde det möjligt att exekvera godtycklig kod.

Följande sårbarhetstabell beskriver vilka versioner av MySQL i vilka distributioner som har rättat problemet:

  Woody Sarge Sid
mysql 3.23.49-8.15
mysql-dfsg 4.0.24-10sarge2
mysql-dfsg-4.1 4.1.11a-4sarge3
mysql-dfsg-5.0 5.0.21-3

Vi rekommenderar att ni uppgraderar era mysql-paket.

Rättat i:

Debian GNU/Linux 3.1 (sarge)

Källkod:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.dsc
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.diff.gz
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
Arkitekturoberoende komponent:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-common_4.0.24-10sarge2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.