Debianin tietoturvatiedote
DSA-303-1 mysql -- käyttäjäoikeuksien laajentuminen
- Ilmoitettu:
- 15. 5.2003
- Vaikutuksen alaiset paketit:
- mysql
- Altis:
- Kyllä
- Viittaukset tietoturvatietokantoihin:
- Bugtraq-tietokannassa (SecurityFocuksella): BugTraq-tunniste 7052.
Mitren CVE-sanakirjassa: CVE-2003-0073, CVE-2003-0150. - Lisätietoa:
-
CAN-2003-0073: mysql-paketti sisältää vian josta johtuen dynaamisesti varattu muisti vapautetaan useammin kuin kerran, ja hyökkääjä voi tarkoituksellisesti aiheuttaa tämän saadakseen aikaan palvelimen kaatumisen, josta seuraa palvelunestotila. Tämän haavoittuvuuden hyväksikäyttöön vaaditaan voimassaoleva käyttäjätunnus ja salasana -yhdistelmä MySQL-palvelimelle pääsemiseksi.
CAN-2003-0150: mysql-paketti sisältää vian jonka johdosta pahantahtoinen käyttäjä, jolle on myönnetty tietyt oikeudet mysql-palvelimelle, voi luoda asetustiedoston joka voisi aiheuttaa mysql-palvelimen ajamisen root-oikeuksilla, tai millä tahansa muilla käyttäjäoikeuksilla, mysql-käyttäjän sijaan.
Molemmat ongelmat on korjattu vakaan jakelun (woody) versiossa 3.23.49-8.4 .
Aiempi vakaa jakelu (potato) on altis vain vialle CAN-2003-0150, ja se on korjattu versiossa 3.22.32-6.4 .
Vika CAN-2003-0073 on korjattu epävakaan jakelun (sid) versiossa 4.0.12-2, ja vialle CAN-2003-0150 ilmestyy korjaus piakkoin.
Suosittelemme päivittämään mysql-paketin.
- Korjattu:
-
Debian GNU/Linux 3.0 (woody)
- Lähde:
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.dsc
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
- Arkkitehtuuririippumaton komponentti:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
Debian GNU/Linux 2.2 (potato)
- Lähde:
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.dsc
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
- Arkkitehtuuririippumaton komponentti:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
Listattujen tiedostojen MD5-tarkistussummat ovat luettavissa alkuperäisestä tiedotteesta.