Bulletin d'alerte Debian

DSA-1783-1 mysql-dfsg-5.0 -- Plusieurs vulnérabilités

Date du rapport :
29 avril 2009
Paquets concernés :
mysql-dfsg-5.0
Vulnérabilité :
Oui
Références dans la base de données de sécurité :
Dans le système de suivi des bogues Debian : Bogue 498362.
Dans le dictionnaire CVE du Mitre : CVE-2008-3963, CVE-2008-4456.
Plus de précisions :

Plusieurs vulnérabilités ont été découvertes dans MySQL, un serveur de bases de données relationnelles, et son application de client interactif. Le projet « Common Vulnerabilities and Exposures » identifie les problèmes suivants.

  • CVE-2008-3963

    Kay Roepke a signalé que le serveur MySQL ne gérait pas correctement une chaîne de bits littérale vide dans une requête SQL, permettant à un attaquant distant authentifié de provoquer un déni de service (plantage) dans mysqld. Ce problème affecte l'ancienne distribution stable (Etch), pas la distribution stable (Lenny).

  • CVE-2008-4456

    Thomas Henlich a signalé que l'application client MySQL en ligne de commande n'encode pas les caractères HTML spéciaux lorsqu'elle est lancée en mode de sortie HTML (c'est-à-dire, « mysql --html … »). Cela pourrait éventuellement mener à un script intersite ou à une augmentation de droits non voulue si la sortie résultante est vue dans un navigateur ou incorporée dans un site web.

Pour l'ancienne distribution stable (Etch), ces problèmes ont été corrigés dans la version 5.0.32-7etch10.

Pour la distribution stable (Lenny), ces problèmes ont été corrigés dans la version 5.0.51a-24+lenny1.

Nous vous recommandons de mettre à jour vos paquets mysql-dfsg-5.0.

Corrigé dans :

Debian GNU/Linux 4.0 (etch)

Source :
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch10.diff.gz
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch10.dsc
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch10_all.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch10_all.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch10_all.deb
Alpha:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_ia64.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch10_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch10_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch10_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch10_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch10_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Source :
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny1.diff.gz
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny1.dsc
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-24+lenny1_all.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-24+lenny1_all.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-24+lenny1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_arm.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_armel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_armel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_armel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_i386.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_mips.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_mips.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_mips.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_s390.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny1_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.