Re: [FLSA-2005:2129] Updated mysql packages fix security issues

To: fedora-legacy-announce@xxxxxxxxxx
Subject: Re: [FLSA-2005:2129] Updated mysql packages fix security issues
From: Ventsislav Genchev <vigour@xxxxxxxxxxx>
Date: Fri, 25 Mar 2005 13:18:21 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
In-reply-to: <42434841.6070707@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Atlantis BG, Ltd.
References: <42434841.6070707@xxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.2-1.3.2 (X11/20050324)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I get an incorrect md5sum for this package:

106480fe6f5d56513a4fd77592d5a8e88a9c4825
redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm

didn't check the others...

$ md5sum mysql-3.23.58-1.90.5.legacy.src.rpm
a75573a4ce3e865f3b682ff8f65f41a7  mysql-3.23.58-1.90.5.legacy.src.rpm


Is this a mistake or the package was changed?


fedora-legacy-announce@xxxxxxxxxx wrote:
> ---------------------------------------------------------------------
>                Fedora Legacy Update Advisory
> 
> Synopsis:          Updated mysql packages fix security issues
> Advisory ID:       FLSA:2129
> Issue date:        2005-03-24
> Product:           Red Hat Linux, Fedora Core
> Keywords:          Bugfix
> Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=2129
> CVE Names:         CAN-2004-0381 CAN-2004-0388 CAN-2004-0457
>                    CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
>                    CAN-2004-0957 CAN-2005-0004
> ---------------------------------------------------------------------
> 
> 
> ---------------------------------------------------------------------
> 1. Topic:
> 
> Updated mysql packages that fix various security issues are now
> available.
> 
> MySQL is a multi-user, multi-threaded SQL database server.
> 
> 2. Relevant releases/architectures:
> 
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
> Fedora Core 1 - i386
> 
> 3. Problem description:
> 
> This update fixes a number of potential security problems associated
> with careless handling of temporary files. The Common Vulnerabilities
> and Exposures project (cve.mitre.org) has assigned the names
> CAN-2004-0381, CAN-2004-0388, CAN-2004-0457, and CAN-2005-0004 to these
> issues.
> 
> Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked
> the CREATE/INSERT rights of the old table instead of the new one. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2004-0835 to this issue.
> 
> Lukasz Wojtow discovered a buffer overrun in the mysql_real_connect
> function. In order to exploit this issue an attacker would need to force
> the use of a malicious DNS server (CAN-2004-0836).
> 
> Dean Ellis discovered that multiple threads ALTERing the same (or
> different) MERGE tables to change the UNION could cause the server to
> crash or stall (CAN-2004-0837).
> 
> Sergei Golubchik discovered that if a user is granted privileges to a
> database with a name containing an underscore ("_"), the user also gains
> the ability to grant privileges to other databases with similar names
> (CAN-2004-0957).
> 
> All users of mysql should upgrade to these updated packages, which
> resolve these issues.
> 
> 4. Solution:
> 
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
> 
> To update all RPMs for your particular architecture, run:
> 
> rpm -Fvh [filenames]
> 
> where [filenames] is a list of the RPMs you wish to upgrade.  Only those
> RPMs which are currently installed will be updated.  Those RPMs which
> are not installed but included in the list will not be updated.  Note
> that you can also use wildcards (*.rpm) if your current directory *only*
> contains the desired RPMs.
> 
> Please note that this update is also available via yum and apt.  Many
> people find this an easier way to apply updates.  To use yum issue:
> 
> yum update
> 
> or to use apt:
> 
> apt-get update; apt-get upgrade
> 
> This will start an interactive process that will result in the
> appropriate RPMs being upgraded on your system.  This assumes that you
> have yum or apt-get configured for obtaining Fedora Legacy content.
> Please visit http://www.fedoralegacy.org/docs for directions on how to
> configure yum and apt-get.
> 
> 5. Bug IDs fixed:
> 
> http://bugzilla.fedora.us - bug #2129 - MySQL Remote Buffer Overflow
> 
> 6. RPMs required:
> 
> Red Hat Linux 7.3:
> 
> SRPM:
> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
> 
> 
> i386:
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
> 
> 
> Red Hat Linux 9:
> 
> SRPM:
> http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
> 
> 
> i386:
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
> 
> 
> Fedora Core 1:
> 
> SRPM:
> http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
> 
> 
> i386:
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
> 
> http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
> 
> 
> 7. Verification:
> 
> SHA1 sum                                 Package Name
> ---------------------------------------------------------------------
> 
> 04ef0f04b389f7f9fc5bb46f35f81e8503a463ba
> redhat/7.3/updates/i386/mysql-3.23.58-1.73.5.legacy.i386.rpm
> 879f133178898835609ec305988b473e7221f825
> redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.5.legacy.i386.rpm
> 9258ee1dd63f878c376a4e8a4f28e6dc8be11600
> redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.5.legacy.i386.rpm
> f8dfbc8e8992bb56c1f8ba9f6917ab0fb11d0e80
> redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.5.legacy.src.rpm
> 246af76de738268375fee9c066efdabdc5a01f73
> redhat/9/updates/i386/mysql-3.23.58-1.90.5.legacy.i386.rpm
> 22b584c92e81cd29086fa2335910ba5b67d22711
> redhat/9/updates/i386/mysql-devel-3.23.58-1.90.5.legacy.i386.rpm
> 4fe21cae92371b5a3ed79858ec5432807bf2cee4
> redhat/9/updates/i386/mysql-server-3.23.58-1.90.5.legacy.i386.rpm
> 106480fe6f5d56513a4fd77592d5a8e88a9c4825
> redhat/9/updates/SRPMS/mysql-3.23.58-1.90.5.legacy.src.rpm
> 509f1caeef89bb626334be27e13c4269cc00ca75
> fedora/1/updates/i386/mysql-3.23.58-4.3.legacy.i386.rpm
> 7e0bf52038d1ccb3e56f8f2e48f32846e9cb52ec
> fedora/1/updates/i386/mysql-bench-3.23.58-4.3.legacy.i386.rpm
> 08c25d36193f30dceb4d3f81fbdd69f713fd94b7
> fedora/1/updates/i386/mysql-devel-3.23.58-4.3.legacy.i386.rpm
> 8fa58175f2d1baf7d45e8c19939928d3faa113ba
> fedora/1/updates/i386/mysql-server-3.23.58-4.3.legacy.i386.rpm
> 291ec6bb776126c3726dc7dfc067afad520300af
> fedora/1/updates/SRPMS/mysql-3.23.58-4.3.legacy.src.rpm
> 
> These packages are GPG signed by Fedora Legacy for security.  Our key is
> available from http://www.fedoralegacy.org/about/security.php
> 
> You can verify each package with the following command:
> 
>     rpm --checksig -v <filename>
> 
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the sha1sum with the following command:
> 
>     sha1sum <filename>
> 
> 8. References:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0457
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
> 
> 9. Contact:
> 
> The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More
> project details at http://www.fedoralegacy.org
> 
> ---------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> --
> Fedora-legacy-announce mailing list
> Fedora-legacy-announce@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-legacy-announce

- --
Ventsislav Genchev
Atlantis BG, Ltd.
E-mail: vigour@xxxxxxxxxxx
phone: +35928757001


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFCQ/N8wxiN6NaquRwRAlAqAKCS6SYwI5+MdgAJN9nsKR/sXEbd+QCfbzcI
lKDXm83PRKcrNpV4mvo+Oj0=
=5CQE
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- [FLSA-2005:2129] Updated mysql packages fix security issues
  - From: Marc Deslauriers

Prev by Date: [FLSA-2005:2268] Updated spamassassin package fixes security issues
Next by Date: Re: [FLSA-2005:2129] Updated mysql packages fix security issues
Previous by thread: [FLSA-2005:2129] Updated mysql packages fix security issues
Next by thread: Re: [FLSA-2005:2129] Updated mysql packages fix security issues
Index(es):
- Date
- Thread