Debians sikkerhedsbulletin
DSA-2057-1 mysql-dfsg-5.0 -- flere sårbarheder
- Rapporteret den:
- 7. jun 2010
- Berørte pakker:
- mysql-dfsg-5.0
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2010-1626, CVE-2010-1848, CVE-2010-1849, CVE-2010-1850.
- Yderligere oplysninger:
-
Flere sårbarheder er opdaget i databaseserveren MySQL. Projektet Common Vulnerabilities and Exposures har registreret følgende problemer:
- CVE-2010-1626
MySQL gjorde det muligt for lokale brugere at slette data og indeksfiler tilhørende en anden brugers MyISAM-tabel gennem et symlinkangreb i forbindelse med DROP TABLE-kommandoen.
- CVE-2010-1848
MySQL kontrollerede ikke tabelnavnparameteret hørende til en COM_FIELD_LIST-kommandopakke for validitet og overensstemmelse med standarderne for acceptable tabelnavne. Dermed kunne en autentificeret bruger med SELECT-rettigheder på en tabel, få adgang til enhver anden tabels feltdefinitionern i alle andre databaser, og potentielt andre MySQL-instanser, tilgængelige fra serverens filsystem.
- CVE-2010-1849
MySQL kunne narres til at læse pakker i al uendelighed, hvis den modtog en pakke større end den maksimale størrelse på en pakke. Det medførte højt CPU-forbrug og dermed lammelsesangrebstilstande.
- CVE-2010-1850
MySQL var sårbar over for et bufferoverløbsangreb på grund af der ikke blev udført grænsekontroller på et tabelnavnparameter hørende til en COM_FIELD_LIST-kommandopakke. Ved at sende
lange data
som tabelnavn, løb en buffer over, hvilket kunne udnyttes af en autentificeret bruger til at indsprøjte ondsindet kode.
I den stabile distribution (lenny), er disse problemer rettet i version 5.0.51a-24+lenny4
Distributionen testing (squeeze) og den unstable distribution (sid) indeholder ikke længere mysql-dfsg-5.0.
Vi anbefaler at du opgraderer din mysql-dfsg-5.0-pakke.
- CVE-2010-1626
- Rettet i:
-
Debian GNU/Linux 5.0 (lenny)
- Kildekode:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny4.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny4.dsc
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny4.dsc
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-24+lenny4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-24+lenny4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-24+lenny4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-24+lenny4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny4_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.