Debians sikkerhedsbulletin

DSA-303-1 mysql -- rettighedsforøgelse

Rapporteret den:

15. maj 2003

Berørte pakker:

mysql

Sårbar:

Referencer i sikkerhedsdatabaser:

I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 7052.
I Mitres CVE-ordbog: CVE-2003-0073, CVE-2003-0150.

Yderligere oplysninger:

CAN-2003-0073: Pakken mysql indeholder en fejl, hvor dynamisk allokeret hukommelse frigives mere end en gang, hvilket kunne iværksættes med vilje af en angriber og dermed få systemet til at gå ned, medførende at lammelsesangreb. For at udnytte denne sårbarhed, er en gyldig kombination af brugernavn og adgangskode krævet, for at få adgang til MySQL-serveren.

CAN-2003-0150: Pakken mysql indeholder en fejl, hvor en ondsindet bruger, der har visse rettigheder i mysql, kunne oprette en opsætningsfil, hvilket kunne få mysql-serveren til at køre som root, eller enhver anden bruger, i stedet for mysql-brugeren.

I den stabile distribution (woody) er begge problemer rettet i version 3.23.49-8.4.

Den gamle stabile distribution (potato) er kun påvirket af CAN-2003-0150 og dette er rettet i version 3.22.32-6.4.

I den ustabile distribution (sid), er CAN-2003-0073 rettet i version 4.0.12-2 og CAN-2003-0150 vil snart blive rettet.

Vi anbefaler at du opdaterer din mysql-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.4_all.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_sparc.deb

Debian GNU/Linux 2.2 (potato)

Kildekode:: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.