--- Begin Message ---
- From: Matt Zimmerman <mdz@debian.org>
- Subject: [SECURITY] [DSA-303-1] New mysql packages fix multiple vulnerabilities
- Date: Thu, 15 May 2003 20:13:30 -0400
- Content-disposition: inline
- List-help: <mailto:debian-security-announce-request@lists.debian.org?subject=help>
- List-post: <mailto:debian-security-announce@lists.debian.org>
- List-subscribe: <mailto:debian-security-announce-request@lists.debian.org?subject=subscribe>
- List-unsubscribe: <mailto:debian-security-announce-request@lists.debian.org?subject=unsubscribe>
- Old-return-path: <mdz@xxxxxxxxxxx>
- Priority: urgent
- Resent-date: Thu, 15 May 2003 19:13:44 -0500 (CDT)
- Resent-from: debian-security-announce@lists.debian.org
- Resent-message-id: <TD1Ma.A.6HG.30Cx-@murphy>
- Resent-sender: debian-security-announce-request@lists.debian.org
- X-bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.11.2
- X-debian: PGP check passed for security officers
- X-loop: debian-security-announce@lists.debian.org
- X-mailing-list: <debian-security-announce@lists.debian.org>
- X-original-to: kmuto@xxxxxxxxxxxxxxx
- X-spam-checker-version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)
- X-spam-level:
- X-spam-status: No, hits=-121.5 required=10.0 tests=BAYES_00,PGP_SIGNATURE,USER_AGENT_MUTT,USER_IN_WHITELIST, X_LOOP,X_MAILING_LIST autolearn=ham version=2.53
- X-virus-scanned: by amavisd-new-20030314-p1 (Debian) at topstudio.co.jp
- Message-id: <20030516001330.GE31656@xxxxxxxxx>
- User-agent: Mutt/1.5.4i
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 303-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
May 15th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : mysql
Vulnerability : privilege escalation
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0073, CAN-2003-0150
CAN-2003-0073: The mysql package contains a bug whereby dynamically
allocated memory is freed more than once, which could be deliberately
triggered by an attacker to cause a crash, resulting in a denial of
service condition. In order to exploit this vulnerability, a valid
username and password combination for access to the MySQL server is
required.
CAN-2003-0150: The mysql package contains a bug whereby a malicious
user, granted certain permissions within mysql, could create a
configuration file which would cause the mysql server to run as root,
or any other user, rather than the mysql user.
For the stable distribution (woody) both problems have been fixed in
version 3.23.49-8.4.
The old stable distribution (potato) is only affected by
CAN-2003-0150, and this has been fixed in version 3.22.32-6.4.
For the unstable distribution (sid), CAN-2003-0073 was fixed in
version 4.0.12-2, and CAN-2003-0150 will be fixed soon.
We recommend that you update your mysql package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.dsc
Size/MD5 checksum: 886 dffa9151341b51795caf44697143f6f9
http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz
Size/MD5 checksum: 72122 be4d9a71e6640fd40e9b316841b7ae0e
http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
Size/MD5 checksum: 11861035 a2820d81997779a9fdf1f4b3c321564a
Architecture independent components:
http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.4_all.deb
Size/MD5 checksum: 16616 a6d308e2d03cd3be901239baa1be388a
http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
Size/MD5 checksum: 1962846 b538ea9589ac54c302651534e2bc4e8b
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_alpha.deb
Size/MD5 checksum: 277416 a17fcb026291699dcb1b051314a71d90
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb
Size/MD5 checksum: 778474 01b0948dd0cf0877f53f095121186657
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_alpha.deb
Size/MD5 checksum: 163216 e6be327a08bc72fb8db433a0af9b41d0
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_alpha.deb
Size/MD5 checksum: 3633954 64c12c4a3b69bdf148357a0a1a479469
ARM architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_arm.deb
Size/MD5 checksum: 238046 774b001079f95c35ea88be11d67e775d
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb
Size/MD5 checksum: 634284 eb4db3ae1eb54cf11f7382b4b0727b9f
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_arm.deb
Size/MD5 checksum: 123630 5608edfbdc9775e88ce437cb870d1750
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_arm.deb
Size/MD5 checksum: 2805654 b4710dec86a805034625d7b9856a7d12
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_i386.deb
Size/MD5 checksum: 234398 cdcdf5dc35e34c48b01f45b176acba9f
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb
Size/MD5 checksum: 576406 dbe76a3e83bab136bffadfe1c8dc468c
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_i386.deb
Size/MD5 checksum: 122240 7811d04423a4a1c17c22c44fb0a38dc1
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_i386.deb
Size/MD5 checksum: 2800476 aac5248b0e5a608828b192ab7cc0ba4b
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_ia64.deb
Size/MD5 checksum: 314754 61514f1241d050604b2e8e52252877bb
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb
Size/MD5 checksum: 848292 39854d7460d71196b1815c6b59b78097
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_ia64.deb
Size/MD5 checksum: 173492 82306dd70c0f55e17d987430a4495df9
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_ia64.deb
Size/MD5 checksum: 3999800 e6f67c4a1e81665b7bc221a734e6d0b1
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_hppa.deb
Size/MD5 checksum: 280316 9acbce0515b8e030cc821cf42c1f6300
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb
Size/MD5 checksum: 743428 227ef882e4e2d2c78cfb6d4c42a058c1
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_hppa.deb
Size/MD5 checksum: 140298 a507d10215eec27be17d3fbcf3ac2b7c
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_hppa.deb
Size/MD5 checksum: 3514686 930fce4f4e0d9e4b02f917d13f88c9fd
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_m68k.deb
Size/MD5 checksum: 227382 85d26489d8164b57ed0f929a0b82266d
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb
Size/MD5 checksum: 557500 a1ea17a4e9559e3fa74ab65a0f1dc6ff
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_m68k.deb
Size/MD5 checksum: 118080 2fab9a645752c4edc0d2571d8df4625a
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_m68k.deb
Size/MD5 checksum: 2646470 9e1e657b5b48e3b311d024fc4a3e02d8
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mips.deb
Size/MD5 checksum: 250634 24efc32271417f6c1088d24f9112292d
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb
Size/MD5 checksum: 688722 abbd8a36aae20a0fe554496bd165dc90
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mips.deb
Size/MD5 checksum: 133584 afe4c3375f839d9362de4109c87e514e
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mips.deb
Size/MD5 checksum: 2847586 2c46dff082360688ed0c26bb62195c4f
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mipsel.deb
Size/MD5 checksum: 250292 e6bd9229aff722e43b028e38f235025f
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb
Size/MD5 checksum: 688078 50454d0fe3448e7d71ddb2c63daa138c
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mipsel.deb
Size/MD5 checksum: 133922 63ae0463860094468b82cab6885b6931
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mipsel.deb
Size/MD5 checksum: 2838896 38e2c2bf2a9b364080ecb05bd1e82b37
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_powerpc.deb
Size/MD5 checksum: 247404 f7c7a7255225b9bd4cc26a3f48645f88
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb
Size/MD5 checksum: 652344 9a0b47815e4915756f3beb585bd35a41
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_powerpc.deb
Size/MD5 checksum: 129128 57fe23b4059856302de47ff02a61f9ff
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_powerpc.deb
Size/MD5 checksum: 2822666 65117c17745024c0cb0bc07af8fdc181
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_s390.deb
Size/MD5 checksum: 249708 e6caf6fd3796cf782502865d419341d8
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb
Size/MD5 checksum: 606782 2d6463b698fc62488e9ee87ad8b89a90
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_s390.deb
Size/MD5 checksum: 126108 e2751df859c6c8cf7ebf5e1a3e2398bb
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_s390.deb
Size/MD5 checksum: 2690902 c2d61b902ff6b3ed500b431285b445c1
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_sparc.deb
Size/MD5 checksum: 240924 3c295207bcf57d2516401356d80d1450
http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb
Size/MD5 checksum: 615466 fe90d0ff7b9fdf7311b6b219c9db1b7a
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_sparc.deb
Size/MD5 checksum: 130078 fc0ffc9023dfd3fae659a077afd975df
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_sparc.deb
Size/MD5 checksum: 2939004 04e7c934a860c8e616cb205e23abba6c
Debian GNU/Linux 2.2 alias potato
- ---------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.dsc
Size/MD5 checksum: 674 0068fe98d371be47dad2bae31a1b8f2a
http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz
Size/MD5 checksum: 84753 f430cddd4b42e2346009de6c36ae4b0d
http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
Size/MD5 checksum: 4296259 e3d9cb3038a2e4378c9c0f4f9d8c2d58
Architecture independent components:
http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.4_all.deb
Size/MD5 checksum: 1687148 9a6807eae4a6a36e80ffe1090e0ca8d9
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_alpha.deb
Size/MD5 checksum: 99636 666fc3f3ba5ce09aac3af8739cc71d13
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
Size/MD5 checksum: 790956 f9ba2a3053508973163a6dc8152fce52
ARM architecture:
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_arm.deb
Size/MD5 checksum: 87380 c70f21c3a2a86d7ae659fb21e46fe1ae
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
Size/MD5 checksum: 603944 fc8c733a5966c7d48d3549939290a6be
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_i386.deb
Size/MD5 checksum: 87020 416c768401102a0990b695bc2934e0c8
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
Size/MD5 checksum: 584930 1f7e3af12a75b01e46a192f4e6669f41
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_m68k.deb
Size/MD5 checksum: 84676 03508436943ae58f8df135c36cd80ef7
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
Size/MD5 checksum: 555302 a0a646d2cbe628ccfae5b424f7508ba5
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_powerpc.deb
Size/MD5 checksum: 87692 b4a178029aec19d04150ce9cd5e075d8
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
Size/MD5 checksum: 632870 ead6825efc5572640b96b4bdf94d77f1
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_sparc.deb
Size/MD5 checksum: 94344 982ba0aa36d6ef03647aee8bf57c01df
http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb
Size/MD5 checksum: 612336 64957610af9008565d09016c426deca0
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+xCzXArxCt0PiXR4RAmHRAKCla7TQveKsVz5MG6fpNs09PVQFkgCgszTx
Wdt0TWoQC6i4p5ErHJRLr1Q=
=EK5e
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--- End Message ---