Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in mysql
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in mysql
ID: MDVSA-2009:326
Distribution: Mandriva
Plattformen: Mandriva 2008.0
Datum: Mo, 7. Dezember 2009, 22:24
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2446
Applikationen: MySQL

Originalnachricht

 
This is a multi-part message in MIME format...

------------=_1260221069-24326-1804


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:326
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : mysql
 Date    : December 7, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in mysql:
 
 MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6
 does not properly handle a b'' (b single-quote single-quote) token,
 aka an empty bit-string literal, which allows remote attackers to
 cause a denial of service (daemon crash) by using this token in a
 SQL statement (CVE-2008-3963).
 
 MySQL before 5.0.67 allows local users to bypass certain privilege
 checks by calling CREATE TABLE on a MyISAM table with modified (1)
 DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally
 associated with pathnames without symlinks, and that can point to
 tables created at a future time at which a pathname is modified
 to contain a symlink to a subdirectory of the MySQL home data
 directory. NOTE: this vulnerability exists because of an incomplete
 fix for CVE-2008-4097 (CVE-2008-4098).
 
 Cross-site scripting (XSS) vulnerability in the command-line client
 in MySQL 5.0.26 through 5.0.45, when the --html option is enabled,
 allows attackers to inject arbitrary web script or HTML by placing
 it in a database cell, which might be accessed by this client when
 composing an HTML document (CVE-2008-4456).
 
 Multiple format string vulnerabilities in the dispatch_command function
 in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow
 remote authenticated users to cause a denial of service (daemon crash)
 and possibly have unspecified other impact via format string specifiers
 in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.
 NOTE: some of these details are obtained from third party information
 (CVE-2009-2446).
 
 Packages for 2008.0 are being provided due to extended support for
 Corporate products.
 
 This update provides fixes for this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3963
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4098
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4456
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2446
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 ae69b85b696ede452665a3dfe40d602b 
 2008.0/i586/libmysql15-5.0.45-8.3mdv2008.0.i586.rpm
 f6eb37fb5cc75b4d1a49de76a4342f6a 
 2008.0/i586/libmysql-devel-5.0.45-8.3mdv2008.0.i586.rpm
 7175d70122ba697194ed1adf6e29d37d 
 2008.0/i586/libmysql-static-devel-5.0.45-8.3mdv2008.0.i586.rpm
 495bc59b243e7d6eda09c275cf593d5d 
 2008.0/i586/mysql-5.0.45-8.3mdv2008.0.i586.rpm
 1a6a5f377487543980d05b0d34e9343c 
 2008.0/i586/mysql-bench-5.0.45-8.3mdv2008.0.i586.rpm
 ba4598db2f067bda0d921fb26da64d96 
 2008.0/i586/mysql-client-5.0.45-8.3mdv2008.0.i586.rpm
 170a4609fa3ed65ddcc8e5956bcb5f11 
 2008.0/i586/mysql-common-5.0.45-8.3mdv2008.0.i586.rpm
 68174419ca38e88f87658d11475e716d 
 2008.0/i586/mysql-max-5.0.45-8.3mdv2008.0.i586.rpm
 2e47c7e45fb2188a5b4a552c23edfaf9 
 2008.0/i586/mysql-ndb-extra-5.0.45-8.3mdv2008.0.i586.rpm
 19d0e06501b511c09288d75042180e0b 
 2008.0/i586/mysql-ndb-management-5.0.45-8.3mdv2008.0.i586.rpm
 87815967c743b1a2c8190b1e34a28542 
 2008.0/i586/mysql-ndb-storage-5.0.45-8.3mdv2008.0.i586.rpm
 be119a2c13e9fb93cf7a9dd82b22093f 
 2008.0/i586/mysql-ndb-tools-5.0.45-8.3mdv2008.0.i586.rpm 
 1647467195a43409ee289a2704002608 
 2008.0/SRPMS/mysql-5.0.45-8.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 8786523fc4ee663a61b030925a7649d4 
 2008.0/x86_64/lib64mysql15-5.0.45-8.3mdv2008.0.x86_64.rpm
 e7969bf96906ed7683f76956d5968bc0 
 2008.0/x86_64/lib64mysql-devel-5.0.45-8.3mdv2008.0.x86_64.rpm
 42c3ba27aafb73dc87e7acef4eab36ff 
 2008.0/x86_64/lib64mysql-static-devel-5.0.45-8.3mdv2008.0.x86_64.rpm
 a0873f40a53e858bdc454b5aa01b8a7d 
 2008.0/x86_64/mysql-5.0.45-8.3mdv2008.0.x86_64.rpm
 89a89bd97458ba99030ea004ecce409d 
 2008.0/x86_64/mysql-bench-5.0.45-8.3mdv2008.0.x86_64.rpm
 0df3ab344e021bac5f6fe9eefbe64be8 
 2008.0/x86_64/mysql-client-5.0.45-8.3mdv2008.0.x86_64.rpm
 7472bf5a811f542ce1e3f5461e286714 
 2008.0/x86_64/mysql-common-5.0.45-8.3mdv2008.0.x86_64.rpm
 3f25583feb0e1220c66fda0b7ed52908 
 2008.0/x86_64/mysql-max-5.0.45-8.3mdv2008.0.x86_64.rpm
 037b7240a17de717678e10ca059b07eb 
 2008.0/x86_64/mysql-ndb-extra-5.0.45-8.3mdv2008.0.x86_64.rpm
 85383feff8a90555a5f8f64cb396f82d 
 2008.0/x86_64/mysql-ndb-management-5.0.45-8.3mdv2008.0.x86_64.rpm
 c316aef02e214d360eb024dfc5f7dc35 
 2008.0/x86_64/mysql-ndb-storage-5.0.45-8.3mdv2008.0.x86_64.rpm
 ec3058c1c790dd02c03826f868ff1077 
 2008.0/x86_64/mysql-ndb-tools-5.0.45-8.3mdv2008.0.x86_64.rpm 
 1647467195a43409ee289a2704002608 
 2008.0/SRPMS/mysql-5.0.45-8.3mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLHUZrmqjQ0CJFipgRAuOCAKDadso9P/SJZs5C+mFlnD2o38JvqACfcwR/
WVeC8UQYdZooaHXDObQjgSs=
=31aR
-----END PGP SIGNATURE-----


------------=_1260221069-24326-1804
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva? 
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1260221069-24326-1804--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung