Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0473 -- [Win][UNIX/Linux][Debian]
New mysql-dfsg-4.1 packages fix denial of service
18 July 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: MySQL 4.1
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Denial of Service
Access: Existing Account
CVE Names: CVE-2006-3469 CVE-2006-3081
Original Bulletin: http://www.debian.org/security/2006/dsa-1112
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
using MySQL 4.1 check for an updated version of the software for
their operating system at http://www.mysql.com.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1112-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
July 18th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : mysql-dfsg-4.1
Vulnerability : several
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2006-3081 CVE-2006-3469
Debian Bug : 373913 375694
Several local vulnerabilities have been discovered in the MySQL database
server, which may lead to denial of service. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2006-3081
"Kanatoko" discovered that the server can be crashed with feeding
NULL values to the str_to_date() function.
CVE-2006-3469
Jean-David Maillefer discovered that the server can be crashed with
specially crafted date_format() function calls.
For the stable distribution (sarge) these problems have been fixed in
version 4.1.11a-4sarge5.
For the unstable distribution (sid) does no longer contain MySQL 4.1
packages. MySQL 5.0 from sid is not affected.
We recommend that you upgrade your mysql-dfsg-4.1 packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.dsc
Size/MD5 checksum: 1021 9cd4f7df9345856d06846e0ddb50b9ee
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz
Size/MD5 checksum: 168442 e45db0b01b3adaf09500d54090f3a1e1
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3
Architecture independent components:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge5_all.deb
Size/MD5 checksum: 36520 e8115191126dc0b373a53024e5c78733
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_alpha.deb
Size/MD5 checksum: 1590788 297b4444903885a19c76a1217e83477d
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_alpha.deb
Size/MD5 checksum: 7965184 8df4e20d157517541228fa52e4c60dbc
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_alpha.deb
Size/MD5 checksum: 1000952 4d62bca949f80c09f043a78b9e701ca5
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_alpha.deb
Size/MD5 checksum: 17487070 b357fcab1b57764e1ee8a341dd30def3
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_amd64.deb
Size/MD5 checksum: 1452034 a22b66b8e00b2409bf1428834af1073b
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_amd64.deb
Size/MD5 checksum: 5551704 731f50735026de2b95d9e9d9e19a7717
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_amd64.deb
Size/MD5 checksum: 849526 a0a5d944db8261044bcdddbe55ab03d6
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_amd64.deb
Size/MD5 checksum: 14711282 bf471f8b19fe0aa14bf04209c0eac975
ARM architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_arm.deb
Size/MD5 checksum: 1388864 1ed00eac905063c7caa7702bb6a4dcda
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_arm.deb
Size/MD5 checksum: 5558854 46fac3302d6e4677bb1dbce5f5aa1387
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_arm.deb
Size/MD5 checksum: 836766 5487191a4af54786066ac720456b5b68
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_arm.deb
Size/MD5 checksum: 14557630 1369e1f83fad8dfcbea1618e0acd821e
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_i386.deb
Size/MD5 checksum: 1418036 ab5768abe67a1d21c714a078f2ec86f0
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb
Size/MD5 checksum: 5643732 bf891e68e488947fd28a940a367d722f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_i386.deb
Size/MD5 checksum: 830724 f5d4a9e5b289d895ba021190f907829f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_i386.deb
Size/MD5 checksum: 14558034 b580eeaf7a3806b95a07435acbe48e27
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_ia64.deb
Size/MD5 checksum: 1713308 0067b2b9c41a412defde52f366e3c897
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_ia64.deb
Size/MD5 checksum: 7782486 3aabc5d9cf4bd642de338d58bdaf06f5
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_ia64.deb
Size/MD5 checksum: 1050616 d23aac0cd8ee2af56e54dfb5bac2f330
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_ia64.deb
Size/MD5 checksum: 18475936 9ddfe01a4b31abfed11b9bde23fac76f
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_hppa.deb
Size/MD5 checksum: 1551202 77244af3e0edbeaf716764fe9ac81e6f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_hppa.deb
Size/MD5 checksum: 6250286 fd9cb45d760605ee2a89f70af5cb9af3
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_hppa.deb
Size/MD5 checksum: 910046 38698cebd4b9f438fd09d9bbb9dcd92c
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_hppa.deb
Size/MD5 checksum: 15791130 8517866821789c2ac7343f9db6f59d3f
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_m68k.deb
Size/MD5 checksum: 1397964 e5166b54d56236e0bcbd677ae0b0612f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_m68k.deb
Size/MD5 checksum: 5284080 48f187b76145ed53de71074d1e19bd6a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_m68k.deb
Size/MD5 checksum: 803870 699c9078240853a353fbd70504285d51
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_m68k.deb
Size/MD5 checksum: 14072018 f2837081c2ff82f8510234e174db38b4
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_mips.deb
Size/MD5 checksum: 1478938 f6865d5d185ecc5b20dac7d0d7e129da
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_mips.deb
Size/MD5 checksum: 6053046 43b3f77618248df20870c85301465095
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_mips.deb
Size/MD5 checksum: 904490 351bde467510be873c1a2cdc57048523
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_mips.deb
Size/MD5 checksum: 15409966 a0332059581d3de6922e9313d6eef676
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_mipsel.deb
Size/MD5 checksum: 1446348 46a4c7d996016a4adcf56440b05fef21
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_mipsel.deb
Size/MD5 checksum: 5971326 6467ab19215d4e0e45084d3530929683
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_mipsel.deb
Size/MD5 checksum: 890130 52b93510c81b7d296074fc4c36a6d847
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_mipsel.deb
Size/MD5 checksum: 15105474 1ffe09b6dc5b370067bf337109188a25
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_powerpc.deb
Size/MD5 checksum: 1476860 3b5a3a41dcb3744a289e78e3310d1df1
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_powerpc.deb
Size/MD5 checksum: 6027448 99a562b660721bc4dacd8997de8aab1f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_powerpc.deb
Size/MD5 checksum: 907410 9893e547ddfe66215e6bc3da4bf69724
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_powerpc.deb
Size/MD5 checksum: 15403210 25c8ae97be006ad171df2f3bdedc72a2
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_s390.deb
Size/MD5 checksum: 1538550 b105d416c3bcd7875984cecac926d076
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_s390.deb
Size/MD5 checksum: 5461556 00100b922054d9b9c3fc22b3a92b60c7
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_s390.deb
Size/MD5 checksum: 884294 37fe2778f39871852f9fa53677cffe2c
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_s390.deb
Size/MD5 checksum: 15055516 c22496ba5559e2fbb1f0a37cd889ee0b
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_sparc.deb
Size/MD5 checksum: 1460576 f4a2d46769a708b1ef70aa85e2b09277
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_sparc.deb
Size/MD5 checksum: 6208040 3dc2de911cc6cbcb4f637bfccbce988a
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_sparc.deb
Size/MD5 checksum: 868258 1671384fa14d81404e3af7ffb555073e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_sparc.deb
Size/MD5 checksum: 15392304 6d9b9d762aa6088e416c1b987f853e96
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEvBoaXm3vHE4uyloRAjNHAKDYCyylFbJzy7B6HNonbBeY6hQdzACfZvwM
StoPTSj1GPfq6J9j5qveWTs=
=JCBl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRLxArSh9+71yA2DNAQIrhQQAlC4KIDthFHUl5cxUpBLane3UtkEScRbf
bIh6J0LjvhOd3BarictARgXlZ7K6RYs9JOR54IItgawLUfQjkzr5IbVcKYIvWGA7
GB4swkzbQ8M/KrjFmkBZVz1vKlsv1x+jPX/8Irof3MUeaULNkUwr0JdFjT2xtiWW
nMNcqBow3Tg=
=Ao4S
-----END PGP SIGNATURE-----