Debian-Sicherheitsankündigung
DSA-1079-1 mysql-dfsg -- Mehrere Verwundbarkeiten
- Datum des Berichts:
- 29. Mai 2006
- Betroffene Pakete:
- mysql-dfsg
- Verwundbar:
- Ja
- Sicherheitsdatenbanken-Referenzen:
- In der Debian-Fehlerdatenbank: Fehler 366044, Fehler 366049, Fehler 366163.
In der Bugtraq-Datenbank (bei SecurityFocus): BugTraq ID 16850, BugTraq ID 17780.
In Mitres CVE-Verzeichnis: CVE-2006-0903, CVE-2006-1516, CVE-2006-1517, CVE-2006-1518.
CERTs Verwundbarkeiten, Hinweise und Ereignis-Notizen: VU#602457. - Weitere Informationen:
-
Mehrere Verwundbarkeiten wurden in MySQL, einer beliebten SQL-Datenbank, gefunden. Das
Common Vulnerabilities and Exposures Project
legt die folgenden Probleme fest:- CVE-2006-0903
Eine unangemessene Handhabung von SQL-Anfragen, die das NULL-Zeichen enthalten, erlaubt es lokalen Benutzern, Protokollierungsmechanismen zu umgehen.
- CVE-2006-1516
Benutzernamen ohne abschließendes Null-Byte erlauben es entfernten Angreifen, Teile des Speichers auszulesen.
- CVE-2006-1517
Eine Anfrage mit falscher Paketlänge erlaubt es entfernten angreifen, sensitive Informationen zu beziehen.
- CVE-2006-1518
Speziell erstellte Anfragepakete mit ungültigen Längewerten erlauben die Ausführung von beliebigem Code.
Die folgende Verwundbarkeitsmatrix zeigt, in welcher Version von MySQL dieses Problem für welche Distribution behoben wurde:
Woody Sarge Sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3 Wir empfehlen Ihnen, Ihre mysql-Pakete zu aktualisieren.
- CVE-2006-0903
- Behoben in:
-
Debian GNU/Linux 3.1 (sarge)
- Quellcode:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.dsc
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.diff.gz
- Architektur-unabhängige Dateien:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-common_4.0.24-10sarge2_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_mips.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_sparc.deb
MD5-Prüfsummen der aufgeführten Dateien stehen in der ursprünglichen Sicherheitsankündigung zur Verfügung.