Debian-Sicherheitsankündigung

DSA-1662-1 mysql-dfsg-5.0 -- Umgehung der Autorisierung

Datum des Berichts:

06. Nov 2008

Betroffene Pakete:

mysql-dfsg-5.0

Verwundbar:

Sicherheitsdatenbanken-Referenzen:

In der Debian-Fehlerdatenbank: Fehler 480292.
In Mitres CVE-Verzeichnis: CVE-2008-4098.

Weitere Informationen:

Eine Symlink-Verwundbarkeit wurde in MySQL, einem relationalen Datenbank-Server, entdeckt. Die Schwäche könnte es einem Angreifer ermöglichen, sowohl CREATE TABLE-Zugriff auf eine Datenbank zu erlangen, als auch Shell-Kommandos auf dem Datenbankserver auszuführen, um die Zugriffskontrollen von MySQL zu umgehen. Dadurch wäre es dem Angreifer möglich, in Datensätze zu schreiben, auf die er unter normalen Umständen keinen Zugriff hätte.

Das Common Vulnerabilities and Exposures-Projekt identifiziert die Verwundbarkeit als CVE-2008-4098. Eine damit zusammenhängende Verwundbarkeit (CVE-2008-4097) wurde bereits durch die in DSA-1608-1 angekündigte Aktualisierung behoben. Die vorliegende neue Aktualisierung ersetzt die vorherige und beseitigt beide Angriffsmöglichkeiten.

Für die Stable-Distribution (Etch) wurde dieses Problem in Version 5.0.32-7etch8 behoben.

Wir empfehlen Ihnen, Ihre mysql-Pakete zu aktualisieren.

Behoben in:

Debian GNU/Linux 4.0 (etch)

Quellcode:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.dsc; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.diff.gz
Architektur-unabhängige Dateien:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch8_all.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch8_all.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch8_all.deb
Alpha:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_amd64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_amd64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_amd64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_amd64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_arm.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_arm.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_arm.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_arm.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_i386.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_i386.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_i386.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_i386.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mips.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mips.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mips.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mips.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_s390.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_s390.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_s390.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_s390.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_sparc.deb

MD5-Prüfsummen der aufgeführten Dateien stehen in der ursprünglichen Sicherheitsankündigung zur Verfügung.