[ MDVSA-2009:094 ] mysql
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:094
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mysql
Date : April 22, 2009
Affected: 2008.1, 2009.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in mysql:
MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6
does not properly handle a b'' (b single-quote single-quote) token,
aka an empty bit-string literal, which allows remote attackers to
cause a denial of service (daemon crash) by using this token in a
SQL statement (CVE-2008-3963).
MySQL 5.0.51a allows local users to bypass certain privilege checks by
calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY
or (2) INDEX DIRECTORY arguments that are associated with symlinks
within pathnames for subdirectories of the MySQL home data directory,
which are followed when tables are created in the future. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2008-2079
(CVE-2008-4097).
MySQL before 5.0.67 allows local users to bypass certain privilege
checks by calling CREATE TABLE on a MyISAM table with modified (1)
DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally
associated with pathnames without symlinks, and that can point to
tables created at a future time at which a pathname is modified
to contain a symlink to a subdirectory of the MySQL home data
directory. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2008-4097 (CVE-2008-4098).
Cross-site scripting (XSS) vulnerability in the command-line client
in MySQL 5.0.26 through 5.0.45, when the --html option is enabled,
allows attackers to inject arbitrary web script or HTML by placing
it in a database cell, which might be accessed by this client when
composing an HTML document (CVE-2008-4456).
bugs in the Mandriva Linux 2008.1 packages that has been fixed:
o upstream fix for mysql bug35754 (#38398, #44691)
o fix #46116 (initialization file mysqld-max don't show correct
application status)
o fix upstream bug 42366
bugs in the Mandriva Linux 2009.0 packages that has been fixed:
o upgraded 5.0.67 to 5.0.77 (fixes CVE-2008-3963, CVE-2008-4097,
CVE-2008-4098)
o no need to workaround #38398, #44691 anymore (since 5.0.75)
o fix upstream bug 42366
o fix #46116 (initialization file mysqld-max don't show correct
application status)
o sphinx-0.9.8.1
bugs in the Mandriva Linux Corporate Server 4 packages that has
been fixed:
o fix upstream bug 42366
o fix #46116 (initialization file mysqld-max don't show correct
application status)
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4456
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
9b4727c105c6bb91fe0109c48c6a62c7
2008.1/i586/libmysql15-5.0.51a-8.2mdv2008.1.i586.rpm
36f5d40e048209da259ffe577b26b197
2008.1/i586/libmysql-devel-5.0.51a-8.2mdv2008.1.i586.rpm
3bebe8b1b61d3740e363ebc6b5277984
2008.1/i586/libmysql-static-devel-5.0.51a-8.2mdv2008.1.i586.rpm
4381320bb57dd72b179f12854d4a19c0
2008.1/i586/mysql-5.0.51a-8.2mdv2008.1.i586.rpm
a354c4f603650556a45f45508085ee04
2008.1/i586/mysql-bench-5.0.51a-8.2mdv2008.1.i586.rpm
4ef771023a2ca2d3b4e0ab09f05196a4
2008.1/i586/mysql-client-5.0.51a-8.2mdv2008.1.i586.rpm
ed81d02b8375e951630ff140aee787f4
2008.1/i586/mysql-common-5.0.51a-8.2mdv2008.1.i586.rpm
cf37d0ee972f6b76608cc489fe741259
2008.1/i586/mysql-doc-5.0.51a-8.2mdv2008.1.i586.rpm
7dbe697e63e649d90fc10bd463c617c3
2008.1/i586/mysql-max-5.0.51a-8.2mdv2008.1.i586.rpm
bae41a72b59a29f2c8551a2797e952b6
2008.1/i586/mysql-ndb-extra-5.0.51a-8.2mdv2008.1.i586.rpm
2bfb6c5489c1385d9e0002042e18363f
2008.1/i586/mysql-ndb-management-5.0.51a-8.2mdv2008.1.i586.rpm
60acd7ec6ce976d0cc4acfe0c863b949
2008.1/i586/mysql-ndb-storage-5.0.51a-8.2mdv2008.1.i586.rpm
8176402e8f031009d503571c202d5d23
2008.1/i586/mysql-ndb-tools-5.0.51a-8.2mdv2008.1.i586.rpm
19db21438d94249221d0891420ccd5a4
2008.1/SRPMS/mysql-5.0.51a-8.2mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
e2416c3607efbc575cc39829b949abbd
2008.1/x86_64/lib64mysql15-5.0.51a-8.2mdv2008.1.x86_64.rpm
9b895531d53e5ba9dfc021b44f823533
2008.1/x86_64/lib64mysql-devel-5.0.51a-8.2mdv2008.1.x86_64.rpm
dbc865fb0174b6c224a4ac4aa407d9df
2008.1/x86_64/lib64mysql-static-devel-5.0.51a-8.2mdv2008.1.x86_64.rpm
9a51080fb59c70798278305989b66dce
2008.1/x86_64/mysql-5.0.51a-8.2mdv2008.1.x86_64.rpm
2599471a229267a60c85900816e06a6d
2008.1/x86_64/mysql-bench-5.0.51a-8.2mdv2008.1.x86_64.rpm
a4174b9642f7f38a20881e6ef2e26a09
2008.1/x86_64/mysql-client-5.0.51a-8.2mdv2008.1.x86_64.rpm
1e95a340c0b06efad67cf380a25f47d8
2008.1/x86_64/mysql-common-5.0.51a-8.2mdv2008.1.x86_64.rpm
3aede79c806ee16a3b372ac16423319e
2008.1/x86_64/mysql-doc-5.0.51a-8.2mdv2008.1.x86_64.rpm
593d76e5d1d80e01ea664b8abcad7886
2008.1/x86_64/mysql-max-5.0.51a-8.2mdv2008.1.x86_64.rpm
d229e1e2c6e9b3c22858f87a94a02c2d
2008.1/x86_64/mysql-ndb-extra-5.0.51a-8.2mdv2008.1.x86_64.rpm
9600603733943299e131deca88afd28f
2008.1/x86_64/mysql-ndb-management-5.0.51a-8.2mdv2008.1.x86_64.rpm
2cd0850a913ed9330111fc8c4677eed0
2008.1/x86_64/mysql-ndb-storage-5.0.51a-8.2mdv2008.1.x86_64.rpm
d8ba1a56b9d1af528182e97eeb789aa5
2008.1/x86_64/mysql-ndb-tools-5.0.51a-8.2mdv2008.1.x86_64.rpm
19db21438d94249221d0891420ccd5a4
2008.1/SRPMS/mysql-5.0.51a-8.2mdv2008.1.src.rpm
Mandriva Linux 2009.0:
1191b4a2117e57d3f05f7e0caa16f411
2009.0/i586/libmysql15-5.0.77-0.2mdv2009.0.i586.rpm
3d7d538d91e79060f28840895a19ae0e
2009.0/i586/libmysql-devel-5.0.77-0.2mdv2009.0.i586.rpm
ecba0d2d283106737b132b468c1452ea
2009.0/i586/libmysql-static-devel-5.0.77-0.2mdv2009.0.i586.rpm
a33ae4ff855bcad95944a3e370f5bbcb
2009.0/i586/mysql-5.0.77-0.2mdv2009.0.i586.rpm
05bbda41d412ae5718f59c1cb374347d
2009.0/i586/mysql-bench-5.0.77-0.2mdv2009.0.i586.rpm
02bf37b39c69440f132f63c47310bf71
2009.0/i586/mysql-client-5.0.77-0.2mdv2009.0.i586.rpm
e031d16609e22505c1d6227d89fd47ad
2009.0/i586/mysql-common-5.0.77-0.2mdv2009.0.i586.rpm
145910d58bffce4df2357ccd3c724148
2009.0/i586/mysql-doc-5.0.77-0.2mdv2009.0.i586.rpm
1e0d73afb856fe088070a287ca697350
2009.0/i586/mysql-max-5.0.77-0.2mdv2009.0.i586.rpm
64cfa38b7667d0d0de6b2e31ccf9bc5a
2009.0/i586/mysql-ndb-extra-5.0.77-0.2mdv2009.0.i586.rpm
246f05a349d63952e0e165e4c791f108
2009.0/i586/mysql-ndb-management-5.0.77-0.2mdv2009.0.i586.rpm
b868d15abbf241de5efcd36709da8528
2009.0/i586/mysql-ndb-storage-5.0.77-0.2mdv2009.0.i586.rpm
2c2ffe4bf5bb40cc58310b3715833a40
2009.0/i586/mysql-ndb-tools-5.0.77-0.2mdv2009.0.i586.rpm
d635c890e7c2fbca462bb64b7df3aa5b
2009.0/SRPMS/mysql-5.0.77-0.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
d58cbe41094a42e932be80d93edf150d
2009.0/x86_64/lib64mysql15-5.0.77-0.2mdv2009.0.x86_64.rpm
a22ef0c87675a2c0364ac16767e6344a
2009.0/x86_64/lib64mysql-devel-5.0.77-0.2mdv2009.0.x86_64.rpm
922ebba7d7d045b3f54ff1b938076cd7
2009.0/x86_64/lib64mysql-static-devel-5.0.77-0.2mdv2009.0.x86_64.rpm
ef2e3123fb0c76bbf00f5dfe07c23b7c
2009.0/x86_64/mysql-5.0.77-0.2mdv2009.0.x86_64.rpm
6ee14f2f4276c6ec68b2f08010d2e313
2009.0/x86_64/mysql-bench-5.0.77-0.2mdv2009.0.x86_64.rpm
245bf40c8682e7f383818a6372bb5878
2009.0/x86_64/mysql-client-5.0.77-0.2mdv2009.0.x86_64.rpm
3158cf10cba8acef4e4df1eee4f173a1
2009.0/x86_64/mysql-common-5.0.77-0.2mdv2009.0.x86_64.rpm
85e46c80b0388393aa0ba4664d6a0501
2009.0/x86_64/mysql-doc-5.0.77-0.2mdv2009.0.x86_64.rpm
788f14a27ab2b97003c97d38ccd30b3c
2009.0/x86_64/mysql-max-5.0.77-0.2mdv2009.0.x86_64.rpm
25e2dc9d6bce3b3ee4c79015f1a063d9
2009.0/x86_64/mysql-ndb-extra-5.0.77-0.2mdv2009.0.x86_64.rpm
bd887b6c4d2069e5123e8f4a16e49638
2009.0/x86_64/mysql-ndb-management-5.0.77-0.2mdv2009.0.x86_64.rpm
99ce6bafe9b4a7ceaf1b73d11f295f45
2009.0/x86_64/mysql-ndb-storage-5.0.77-0.2mdv2009.0.x86_64.rpm
dbfa0beec9664e3a318fd34c9a3b5fa6
2009.0/x86_64/mysql-ndb-tools-5.0.77-0.2mdv2009.0.x86_64.rpm
d635c890e7c2fbca462bb64b7df3aa5b
2009.0/SRPMS/mysql-5.0.77-0.2mdv2009.0.src.rpm
Corporate 4.0:
3557c7bb228099472a0c89e6d694d6e5
corporate/4.0/i586/libmysql15-5.0.45-7.3.20060mlcs4.i586.rpm
cfd1b37b291bd2a1181a1bd194b3e322
corporate/4.0/i586/libmysql-devel-5.0.45-7.3.20060mlcs4.i586.rpm
f61efb3779d0a12e46d46d2bb8f9d215
corporate/4.0/i586/libmysql-static-devel-5.0.45-7.3.20060mlcs4.i586.rpm
7def1d43eab3c3c4054f0b6bac55e80e
corporate/4.0/i586/mysql-5.0.45-7.3.20060mlcs4.i586.rpm
ed6e809beed005cac1b724ea5a751507
corporate/4.0/i586/mysql-bench-5.0.45-7.3.20060mlcs4.i586.rpm
2a6f16ce0444beea1f8a80bb07eac559
corporate/4.0/i586/mysql-client-5.0.45-7.3.20060mlcs4.i586.rpm
238d2b9b3c0eadaf766894aa02cdf43b
corporate/4.0/i586/mysql-common-5.0.45-7.3.20060mlcs4.i586.rpm
1cd9946cb632883591376a1270bb1ef4
corporate/4.0/i586/mysql-max-5.0.45-7.3.20060mlcs4.i586.rpm
087825bca7a1bb16166b62c4a31a28ee
corporate/4.0/i586/mysql-ndb-extra-5.0.45-7.3.20060mlcs4.i586.rpm
34bc6d6fa439d4b0b3559334e8521f71
corporate/4.0/i586/mysql-ndb-management-5.0.45-7.3.20060mlcs4.i586.rpm
75fa145c3a2f02b86fc679043ff92026
corporate/4.0/i586/mysql-ndb-storage-5.0.45-7.3.20060mlcs4.i586.rpm
1752c1ca9522c93e2f28949ac62d646b
corporate/4.0/i586/mysql-ndb-tools-5.0.45-7.3.20060mlcs4.i586.rpm
28e52dceda0279ef95de899fa87c139d
corporate/4.0/SRPMS/mysql-5.0.45-7.3.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
13b1d4a7d09cff6303bd5e5844d78426
corporate/4.0/x86_64/lib64mysql15-5.0.45-7.3.20060mlcs4.x86_64.rpm
82872e45155c36baa749d54af29b21a8
corporate/4.0/x86_64/lib64mysql-devel-5.0.45-7.3.20060mlcs4.x86_64.rpm
8bd62bfdffa69779984483f407250f91
corporate/4.0/x86_64/lib64mysql-static-devel-5.0.45-7.3.20060mlcs4.x86_64.rpm
495cdc16d378e136a2a5ea36c2b796d2
corporate/4.0/x86_64/mysql-5.0.45-7.3.20060mlcs4.x86_64.rpm
d3f0becb3e9c397d4e823d2bad84e5b7
corporate/4.0/x86_64/mysql-bench-5.0.45-7.3.20060mlcs4.x86_64.rpm
acb36ea1030b70b3ccba79c0c6ea7990
corporate/4.0/x86_64/mysql-client-5.0.45-7.3.20060mlcs4.x86_64.rpm
5dad314f8cfaf582c627778931777a26
corporate/4.0/x86_64/mysql-common-5.0.45-7.3.20060mlcs4.x86_64.rpm
b250f0d6f9065b5b13d2a90d26450df5
corporate/4.0/x86_64/mysql-max-5.0.45-7.3.20060mlcs4.x86_64.rpm
6e2c57a6c2c98eadba5b9dfd0ad749c5
corporate/4.0/x86_64/mysql-ndb-extra-5.0.45-7.3.20060mlcs4.x86_64.rpm
103b683521e544330b00ff12f590b603
corporate/4.0/x86_64/mysql-ndb-management-5.0.45-7.3.20060mlcs4.x86_64.rpm
13fd214bae5164df51d71c5b77cf9038
corporate/4.0/x86_64/mysql-ndb-storage-5.0.45-7.3.20060mlcs4.x86_64.rpm
afa36b210745a77019a09891c9b6e61e
corporate/4.0/x86_64/mysql-ndb-tools-5.0.45-7.3.20060mlcs4.x86_64.rpm
28e52dceda0279ef95de899fa87c139d
corporate/4.0/SRPMS/mysql-5.0.45-7.3.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJ7xuFmqjQ0CJFipgRArMDAKDERKZ0Z2qU0C9YOnLvh9sUQCIgxACeKSpC
eJZtPU8pHegqERNdHbgZoM8=
=Q7aJ
-----END PGP SIGNATURE-----