Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-75-1 mysql-5.1

Debian Security Advisory

DLA-75-1 mysql-5.1 -- LTS security update

Date Reported:

22 Oct 2014

Affected Packages:

mysql-5.1

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-2162, CVE-2014-0001, CVE-2014-4274.

More information:

This update fixes one important vulnerability (CVE-2014-4274) and batches together two other minor fixes (CVE-2013-2162, CVE-2014-0001).

• CVE-2014-4274

  Insecure handling of a temporary file that could lead to execution of arbitrary code through the creation of a mysql configuration file pointing to an attacker-controlled plugin_dir.

• CVE-2013-2162

  Insecure creation of the debian.cnf credential file. Credentials could be stolen by a local user monitoring that file while the package gets installed.

• CVE-2014-0001

  Buffer overrun in the MySQL client when the server sends a version string that is too big for the allocated buffer.

For Debian 6 Squeeze, these issues have been fixed in mysql-5.1 version 5.1.73-1+deb6u1