Package : mysql Vulnerability : insecure temporary file creation Problem-Type : local Debian-specific: no CVE IDs : CAN-2004-0381 CAN-2004-0388 Bugtraq ID : 9976
Two vulnerabilities have been discovered in mysql, a common database system. Two scripts contained in the package don't create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking the MySQL server, which is often the root user. The Common Vulnerabilities and Exposures identifies the following problems:
CAN-2004-0381
The script mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack.
CAN-2004-0388
The script mysqld_multi in MySQL allows local users to overwrite arbitrary files via a symlink attack.
For the stable distribution (woody) these problems have been fixed in version 3.23.49-8.6.
For the unstable distribution (sid) these problems will be fixed in version 4.0.18-6 of mysql-dfsg.
We recommend that you upgrade your mysql, mysql-dfsg and related packages.
Upgrade Instructions --------------------
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody --------------------------------