Debians sikkerhedsbulletin
DSA-303-1 mysql -- rettighedsforøgelse
- Rapporteret den:
- 15. maj 2003
- Berørte pakker:
- mysql
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 7052.
I Mitres CVE-ordbog: CVE-2003-0073, CVE-2003-0150. - Yderligere oplysninger:
-
CAN-2003-0073: Pakken mysql indeholder en fejl, hvor dynamisk allokeret hukommelse frigives mere end en gang, hvilket kunne iværksættes med vilje af en angriber og dermed få systemet til at gå ned, medførende at lammelsesangreb. For at udnytte denne sårbarhed, er en gyldig kombination af brugernavn og adgangskode krævet, for at få adgang til MySQL-serveren.
CAN-2003-0150: Pakken mysql indeholder en fejl, hvor en ondsindet bruger, der har visse rettigheder i mysql, kunne oprette en opsætningsfil, hvilket kunne få mysql-serveren til at køre som root, eller enhver anden bruger, i stedet for mysql-brugeren.
I den stabile distribution (woody) er begge problemer rettet i version 3.23.49-8.4.
Den gamle stabile distribution (potato) er kun påvirket af CAN-2003-0150 og dette er rettet i version 3.22.32-6.4.
I den ustabile distribution (sid), er CAN-2003-0073 rettet i version 4.0.12-2 og CAN-2003-0150 vil snart blive rettet.
Vi anbefaler at du opdaterer din mysql-pakke.
- Rettet i:
-
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.dsc
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
Debian GNU/Linux 2.2 (potato)
- Kildekode:
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.dsc
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.