Säkerhetsbulletin från Debian
DSA-303-1 mysql -- utökning av privilegier
- Rapporterat den:
- 2003-05-15
- Berörda paket:
- mysql
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 7052.
I Mitres CVE-förteckning: CVE-2003-0073, CVE-2003-0150. - Ytterligare information:
-
CAN-2003-0073: mysql-paketet innehåller ett fel där dynamiskt allokerat minne frigörs mer än en gång, vilket medvetet kunde provoceras fram av en angripare för att orsaka en krasch, vilket leder till ett överbelastningstillstånd. För att utnyttja denna sårbarhet krävs ett giltig användar-id och lösenord för tillgång till MySQL-servern.
CAN-2003-0150: mysql-paketet innehåller ett fel där en illvillig användare som getts vissa behörigheter i mysql kunde skapa en konfigurationsfil som kunde få mysql-servern att köra som root, eller godtycklig annan användare, snarare än mysql-användaren.
För den stabila utgåvan (Woody) har både problemen rättats i version 3.23.49-8.4.
Den gamla stabila utgåvan (Potato) påverkas endast av CAN-2003-0150, vilken har rättats i version 3.22.32-6.4.
För den instabila utgåvan (Sid), rättades CAN-2003-0073 i version 4.0.12-2, och CAN-2003-0150 kommer rättas inom kort.
Vi rekommenderar att ni uppgraderar ert mysql-paket.
- Rättat i:
-
Debian GNU/Linux 3.0 (woody)
- Källkod:
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.dsc
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
Debian GNU/Linux 2.2 (potato)
- Källkod:
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.dsc
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.