<<< Date Index >>>     <<< Thread Index >>>

[ MDVSA-2009:094 ] mysql



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:094
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : mysql
 Date    : April 22, 2009
 Affected: 2008.1, 2009.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in mysql:
 
 MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6
 does not properly handle a b'' (b single-quote single-quote) token,
 aka an empty bit-string literal, which allows remote attackers to
 cause a denial of service (daemon crash) by using this token in a
 SQL statement (CVE-2008-3963).
 
 MySQL 5.0.51a allows local users to bypass certain privilege checks by
 calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY
 or (2) INDEX DIRECTORY arguments that are associated with symlinks
 within pathnames for subdirectories of the MySQL home data directory,
 which are followed when tables are created in the future. NOTE: this
 vulnerability exists because of an incomplete fix for CVE-2008-2079
 (CVE-2008-4097).
 
 MySQL before 5.0.67 allows local users to bypass certain privilege
 checks by calling CREATE TABLE on a MyISAM table with modified (1)
 DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally
 associated with pathnames without symlinks, and that can point to
 tables created at a future time at which a pathname is modified
 to contain a symlink to a subdirectory of the MySQL home data
 directory. NOTE: this vulnerability exists because of an incomplete
 fix for CVE-2008-4097 (CVE-2008-4098).
 
 Cross-site scripting (XSS) vulnerability in the command-line client
 in MySQL 5.0.26 through 5.0.45, when the --html option is enabled,
 allows attackers to inject arbitrary web script or HTML by placing
 it in a database cell, which might be accessed by this client when
 composing an HTML document (CVE-2008-4456).
 
 bugs in the Mandriva Linux 2008.1 packages that has been fixed:
 
  o upstream fix for mysql bug35754 (#38398, #44691)
  o fix #46116 (initialization file mysqld-max don't show correct
  application status)
  o fix upstream bug 42366
 
 bugs in the Mandriva Linux 2009.0 packages that has been fixed:
 
  o upgraded 5.0.67 to 5.0.77 (fixes CVE-2008-3963, CVE-2008-4097,
  CVE-2008-4098)
  o no need to workaround #38398, #44691 anymore (since 5.0.75)
  o fix upstream bug 42366
  o fix #46116 (initialization file mysqld-max don't show correct
  application status)
  o sphinx-0.9.8.1
 
 bugs in the Mandriva Linux Corporate Server 4 packages that has
 been fixed:
  o fix upstream bug 42366
  o fix #46116 (initialization file mysqld-max don't show correct
  application status)
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3963
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4097
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4098
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4456
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 9b4727c105c6bb91fe0109c48c6a62c7  
2008.1/i586/libmysql15-5.0.51a-8.2mdv2008.1.i586.rpm
 36f5d40e048209da259ffe577b26b197  
2008.1/i586/libmysql-devel-5.0.51a-8.2mdv2008.1.i586.rpm
 3bebe8b1b61d3740e363ebc6b5277984  
2008.1/i586/libmysql-static-devel-5.0.51a-8.2mdv2008.1.i586.rpm
 4381320bb57dd72b179f12854d4a19c0  
2008.1/i586/mysql-5.0.51a-8.2mdv2008.1.i586.rpm
 a354c4f603650556a45f45508085ee04  
2008.1/i586/mysql-bench-5.0.51a-8.2mdv2008.1.i586.rpm
 4ef771023a2ca2d3b4e0ab09f05196a4  
2008.1/i586/mysql-client-5.0.51a-8.2mdv2008.1.i586.rpm
 ed81d02b8375e951630ff140aee787f4  
2008.1/i586/mysql-common-5.0.51a-8.2mdv2008.1.i586.rpm
 cf37d0ee972f6b76608cc489fe741259  
2008.1/i586/mysql-doc-5.0.51a-8.2mdv2008.1.i586.rpm
 7dbe697e63e649d90fc10bd463c617c3  
2008.1/i586/mysql-max-5.0.51a-8.2mdv2008.1.i586.rpm
 bae41a72b59a29f2c8551a2797e952b6  
2008.1/i586/mysql-ndb-extra-5.0.51a-8.2mdv2008.1.i586.rpm
 2bfb6c5489c1385d9e0002042e18363f  
2008.1/i586/mysql-ndb-management-5.0.51a-8.2mdv2008.1.i586.rpm
 60acd7ec6ce976d0cc4acfe0c863b949  
2008.1/i586/mysql-ndb-storage-5.0.51a-8.2mdv2008.1.i586.rpm
 8176402e8f031009d503571c202d5d23  
2008.1/i586/mysql-ndb-tools-5.0.51a-8.2mdv2008.1.i586.rpm 
 19db21438d94249221d0891420ccd5a4  
2008.1/SRPMS/mysql-5.0.51a-8.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 e2416c3607efbc575cc39829b949abbd  
2008.1/x86_64/lib64mysql15-5.0.51a-8.2mdv2008.1.x86_64.rpm
 9b895531d53e5ba9dfc021b44f823533  
2008.1/x86_64/lib64mysql-devel-5.0.51a-8.2mdv2008.1.x86_64.rpm
 dbc865fb0174b6c224a4ac4aa407d9df  
2008.1/x86_64/lib64mysql-static-devel-5.0.51a-8.2mdv2008.1.x86_64.rpm
 9a51080fb59c70798278305989b66dce  
2008.1/x86_64/mysql-5.0.51a-8.2mdv2008.1.x86_64.rpm
 2599471a229267a60c85900816e06a6d  
2008.1/x86_64/mysql-bench-5.0.51a-8.2mdv2008.1.x86_64.rpm
 a4174b9642f7f38a20881e6ef2e26a09  
2008.1/x86_64/mysql-client-5.0.51a-8.2mdv2008.1.x86_64.rpm
 1e95a340c0b06efad67cf380a25f47d8  
2008.1/x86_64/mysql-common-5.0.51a-8.2mdv2008.1.x86_64.rpm
 3aede79c806ee16a3b372ac16423319e  
2008.1/x86_64/mysql-doc-5.0.51a-8.2mdv2008.1.x86_64.rpm
 593d76e5d1d80e01ea664b8abcad7886  
2008.1/x86_64/mysql-max-5.0.51a-8.2mdv2008.1.x86_64.rpm
 d229e1e2c6e9b3c22858f87a94a02c2d  
2008.1/x86_64/mysql-ndb-extra-5.0.51a-8.2mdv2008.1.x86_64.rpm
 9600603733943299e131deca88afd28f  
2008.1/x86_64/mysql-ndb-management-5.0.51a-8.2mdv2008.1.x86_64.rpm
 2cd0850a913ed9330111fc8c4677eed0  
2008.1/x86_64/mysql-ndb-storage-5.0.51a-8.2mdv2008.1.x86_64.rpm
 d8ba1a56b9d1af528182e97eeb789aa5  
2008.1/x86_64/mysql-ndb-tools-5.0.51a-8.2mdv2008.1.x86_64.rpm 
 19db21438d94249221d0891420ccd5a4  
2008.1/SRPMS/mysql-5.0.51a-8.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 1191b4a2117e57d3f05f7e0caa16f411  
2009.0/i586/libmysql15-5.0.77-0.2mdv2009.0.i586.rpm
 3d7d538d91e79060f28840895a19ae0e  
2009.0/i586/libmysql-devel-5.0.77-0.2mdv2009.0.i586.rpm
 ecba0d2d283106737b132b468c1452ea  
2009.0/i586/libmysql-static-devel-5.0.77-0.2mdv2009.0.i586.rpm
 a33ae4ff855bcad95944a3e370f5bbcb  
2009.0/i586/mysql-5.0.77-0.2mdv2009.0.i586.rpm
 05bbda41d412ae5718f59c1cb374347d  
2009.0/i586/mysql-bench-5.0.77-0.2mdv2009.0.i586.rpm
 02bf37b39c69440f132f63c47310bf71  
2009.0/i586/mysql-client-5.0.77-0.2mdv2009.0.i586.rpm
 e031d16609e22505c1d6227d89fd47ad  
2009.0/i586/mysql-common-5.0.77-0.2mdv2009.0.i586.rpm
 145910d58bffce4df2357ccd3c724148  
2009.0/i586/mysql-doc-5.0.77-0.2mdv2009.0.i586.rpm
 1e0d73afb856fe088070a287ca697350  
2009.0/i586/mysql-max-5.0.77-0.2mdv2009.0.i586.rpm
 64cfa38b7667d0d0de6b2e31ccf9bc5a  
2009.0/i586/mysql-ndb-extra-5.0.77-0.2mdv2009.0.i586.rpm
 246f05a349d63952e0e165e4c791f108  
2009.0/i586/mysql-ndb-management-5.0.77-0.2mdv2009.0.i586.rpm
 b868d15abbf241de5efcd36709da8528  
2009.0/i586/mysql-ndb-storage-5.0.77-0.2mdv2009.0.i586.rpm
 2c2ffe4bf5bb40cc58310b3715833a40  
2009.0/i586/mysql-ndb-tools-5.0.77-0.2mdv2009.0.i586.rpm 
 d635c890e7c2fbca462bb64b7df3aa5b  
2009.0/SRPMS/mysql-5.0.77-0.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 d58cbe41094a42e932be80d93edf150d  
2009.0/x86_64/lib64mysql15-5.0.77-0.2mdv2009.0.x86_64.rpm
 a22ef0c87675a2c0364ac16767e6344a  
2009.0/x86_64/lib64mysql-devel-5.0.77-0.2mdv2009.0.x86_64.rpm
 922ebba7d7d045b3f54ff1b938076cd7  
2009.0/x86_64/lib64mysql-static-devel-5.0.77-0.2mdv2009.0.x86_64.rpm
 ef2e3123fb0c76bbf00f5dfe07c23b7c  
2009.0/x86_64/mysql-5.0.77-0.2mdv2009.0.x86_64.rpm
 6ee14f2f4276c6ec68b2f08010d2e313  
2009.0/x86_64/mysql-bench-5.0.77-0.2mdv2009.0.x86_64.rpm
 245bf40c8682e7f383818a6372bb5878  
2009.0/x86_64/mysql-client-5.0.77-0.2mdv2009.0.x86_64.rpm
 3158cf10cba8acef4e4df1eee4f173a1  
2009.0/x86_64/mysql-common-5.0.77-0.2mdv2009.0.x86_64.rpm
 85e46c80b0388393aa0ba4664d6a0501  
2009.0/x86_64/mysql-doc-5.0.77-0.2mdv2009.0.x86_64.rpm
 788f14a27ab2b97003c97d38ccd30b3c  
2009.0/x86_64/mysql-max-5.0.77-0.2mdv2009.0.x86_64.rpm
 25e2dc9d6bce3b3ee4c79015f1a063d9  
2009.0/x86_64/mysql-ndb-extra-5.0.77-0.2mdv2009.0.x86_64.rpm
 bd887b6c4d2069e5123e8f4a16e49638  
2009.0/x86_64/mysql-ndb-management-5.0.77-0.2mdv2009.0.x86_64.rpm
 99ce6bafe9b4a7ceaf1b73d11f295f45  
2009.0/x86_64/mysql-ndb-storage-5.0.77-0.2mdv2009.0.x86_64.rpm
 dbfa0beec9664e3a318fd34c9a3b5fa6  
2009.0/x86_64/mysql-ndb-tools-5.0.77-0.2mdv2009.0.x86_64.rpm 
 d635c890e7c2fbca462bb64b7df3aa5b  
2009.0/SRPMS/mysql-5.0.77-0.2mdv2009.0.src.rpm

 Corporate 4.0:
 3557c7bb228099472a0c89e6d694d6e5  
corporate/4.0/i586/libmysql15-5.0.45-7.3.20060mlcs4.i586.rpm
 cfd1b37b291bd2a1181a1bd194b3e322  
corporate/4.0/i586/libmysql-devel-5.0.45-7.3.20060mlcs4.i586.rpm
 f61efb3779d0a12e46d46d2bb8f9d215  
corporate/4.0/i586/libmysql-static-devel-5.0.45-7.3.20060mlcs4.i586.rpm
 7def1d43eab3c3c4054f0b6bac55e80e  
corporate/4.0/i586/mysql-5.0.45-7.3.20060mlcs4.i586.rpm
 ed6e809beed005cac1b724ea5a751507  
corporate/4.0/i586/mysql-bench-5.0.45-7.3.20060mlcs4.i586.rpm
 2a6f16ce0444beea1f8a80bb07eac559  
corporate/4.0/i586/mysql-client-5.0.45-7.3.20060mlcs4.i586.rpm
 238d2b9b3c0eadaf766894aa02cdf43b  
corporate/4.0/i586/mysql-common-5.0.45-7.3.20060mlcs4.i586.rpm
 1cd9946cb632883591376a1270bb1ef4  
corporate/4.0/i586/mysql-max-5.0.45-7.3.20060mlcs4.i586.rpm
 087825bca7a1bb16166b62c4a31a28ee  
corporate/4.0/i586/mysql-ndb-extra-5.0.45-7.3.20060mlcs4.i586.rpm
 34bc6d6fa439d4b0b3559334e8521f71  
corporate/4.0/i586/mysql-ndb-management-5.0.45-7.3.20060mlcs4.i586.rpm
 75fa145c3a2f02b86fc679043ff92026  
corporate/4.0/i586/mysql-ndb-storage-5.0.45-7.3.20060mlcs4.i586.rpm
 1752c1ca9522c93e2f28949ac62d646b  
corporate/4.0/i586/mysql-ndb-tools-5.0.45-7.3.20060mlcs4.i586.rpm 
 28e52dceda0279ef95de899fa87c139d  
corporate/4.0/SRPMS/mysql-5.0.45-7.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 13b1d4a7d09cff6303bd5e5844d78426  
corporate/4.0/x86_64/lib64mysql15-5.0.45-7.3.20060mlcs4.x86_64.rpm
 82872e45155c36baa749d54af29b21a8  
corporate/4.0/x86_64/lib64mysql-devel-5.0.45-7.3.20060mlcs4.x86_64.rpm
 8bd62bfdffa69779984483f407250f91  
corporate/4.0/x86_64/lib64mysql-static-devel-5.0.45-7.3.20060mlcs4.x86_64.rpm
 495cdc16d378e136a2a5ea36c2b796d2  
corporate/4.0/x86_64/mysql-5.0.45-7.3.20060mlcs4.x86_64.rpm
 d3f0becb3e9c397d4e823d2bad84e5b7  
corporate/4.0/x86_64/mysql-bench-5.0.45-7.3.20060mlcs4.x86_64.rpm
 acb36ea1030b70b3ccba79c0c6ea7990  
corporate/4.0/x86_64/mysql-client-5.0.45-7.3.20060mlcs4.x86_64.rpm
 5dad314f8cfaf582c627778931777a26  
corporate/4.0/x86_64/mysql-common-5.0.45-7.3.20060mlcs4.x86_64.rpm
 b250f0d6f9065b5b13d2a90d26450df5  
corporate/4.0/x86_64/mysql-max-5.0.45-7.3.20060mlcs4.x86_64.rpm
 6e2c57a6c2c98eadba5b9dfd0ad749c5  
corporate/4.0/x86_64/mysql-ndb-extra-5.0.45-7.3.20060mlcs4.x86_64.rpm
 103b683521e544330b00ff12f590b603  
corporate/4.0/x86_64/mysql-ndb-management-5.0.45-7.3.20060mlcs4.x86_64.rpm
 13fd214bae5164df51d71c5b77cf9038  
corporate/4.0/x86_64/mysql-ndb-storage-5.0.45-7.3.20060mlcs4.x86_64.rpm
 afa36b210745a77019a09891c9b6e61e  
corporate/4.0/x86_64/mysql-ndb-tools-5.0.45-7.3.20060mlcs4.x86_64.rpm 
 28e52dceda0279ef95de899fa87c139d  
corporate/4.0/SRPMS/mysql-5.0.45-7.3.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ7xuFmqjQ0CJFipgRArMDAKDERKZ0Z2qU0C9YOnLvh9sUQCIgxACeKSpC
eJZtPU8pHegqERNdHbgZoM8=
=Q7aJ
-----END PGP SIGNATURE-----