Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0473 -- [Win][UNIX/Linux][Debian] New mysql-dfsg-4.1 packages fix denial of service 18 July 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: MySQL 4.1 Publisher: Debian Operating System: Debian GNU/Linux 3.1 UNIX variants (UNIX, Linux, OSX) Windows Impact: Denial of Service Access: Existing Account CVE Names: CVE-2006-3469 CVE-2006-3081 Original Bulletin: http://www.debian.org/security/2006/dsa-1112 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators using MySQL 4.1 check for an updated version of the software for their operating system at http://www.mysql.com. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1112-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 18th, 2006 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : mysql-dfsg-4.1 Vulnerability : several Problem-Type : local Debian-specific: no CVE ID : CVE-2006-3081 CVE-2006-3469 Debian Bug : 373913 375694 Several local vulnerabilities have been discovered in the MySQL database server, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-3081 "Kanatoko" discovered that the server can be crashed with feeding NULL values to the str_to_date() function. CVE-2006-3469 Jean-David Maillefer discovered that the server can be crashed with specially crafted date_format() function calls. For the stable distribution (sarge) these problems have been fixed in version 4.1.11a-4sarge5. For the unstable distribution (sid) does no longer contain MySQL 4.1 packages. MySQL 5.0 from sid is not affected. We recommend that you upgrade your mysql-dfsg-4.1 packages. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.dsc Size/MD5 checksum: 1021 9cd4f7df9345856d06846e0ddb50b9ee http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz Size/MD5 checksum: 168442 e45db0b01b3adaf09500d54090f3a1e1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3 Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge5_all.deb Size/MD5 checksum: 36520 e8115191126dc0b373a53024e5c78733 Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_alpha.deb Size/MD5 checksum: 1590788 297b4444903885a19c76a1217e83477d http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_alpha.deb Size/MD5 checksum: 7965184 8df4e20d157517541228fa52e4c60dbc http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_alpha.deb Size/MD5 checksum: 1000952 4d62bca949f80c09f043a78b9e701ca5 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_alpha.deb Size/MD5 checksum: 17487070 b357fcab1b57764e1ee8a341dd30def3 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_amd64.deb Size/MD5 checksum: 1452034 a22b66b8e00b2409bf1428834af1073b http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_amd64.deb Size/MD5 checksum: 5551704 731f50735026de2b95d9e9d9e19a7717 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_amd64.deb Size/MD5 checksum: 849526 a0a5d944db8261044bcdddbe55ab03d6 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_amd64.deb Size/MD5 checksum: 14711282 bf471f8b19fe0aa14bf04209c0eac975 ARM architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_arm.deb Size/MD5 checksum: 1388864 1ed00eac905063c7caa7702bb6a4dcda http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_arm.deb Size/MD5 checksum: 5558854 46fac3302d6e4677bb1dbce5f5aa1387 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_arm.deb Size/MD5 checksum: 836766 5487191a4af54786066ac720456b5b68 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_arm.deb Size/MD5 checksum: 14557630 1369e1f83fad8dfcbea1618e0acd821e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_i386.deb Size/MD5 checksum: 1418036 ab5768abe67a1d21c714a078f2ec86f0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb Size/MD5 checksum: 5643732 bf891e68e488947fd28a940a367d722f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_i386.deb Size/MD5 checksum: 830724 f5d4a9e5b289d895ba021190f907829f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_i386.deb Size/MD5 checksum: 14558034 b580eeaf7a3806b95a07435acbe48e27 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_ia64.deb Size/MD5 checksum: 1713308 0067b2b9c41a412defde52f366e3c897 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_ia64.deb Size/MD5 checksum: 7782486 3aabc5d9cf4bd642de338d58bdaf06f5 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_ia64.deb Size/MD5 checksum: 1050616 d23aac0cd8ee2af56e54dfb5bac2f330 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_ia64.deb Size/MD5 checksum: 18475936 9ddfe01a4b31abfed11b9bde23fac76f HP Precision architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_hppa.deb Size/MD5 checksum: 1551202 77244af3e0edbeaf716764fe9ac81e6f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_hppa.deb Size/MD5 checksum: 6250286 fd9cb45d760605ee2a89f70af5cb9af3 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_hppa.deb Size/MD5 checksum: 910046 38698cebd4b9f438fd09d9bbb9dcd92c http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_hppa.deb Size/MD5 checksum: 15791130 8517866821789c2ac7343f9db6f59d3f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_m68k.deb Size/MD5 checksum: 1397964 e5166b54d56236e0bcbd677ae0b0612f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_m68k.deb Size/MD5 checksum: 5284080 48f187b76145ed53de71074d1e19bd6a http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_m68k.deb Size/MD5 checksum: 803870 699c9078240853a353fbd70504285d51 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_m68k.deb Size/MD5 checksum: 14072018 f2837081c2ff82f8510234e174db38b4 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_mips.deb Size/MD5 checksum: 1478938 f6865d5d185ecc5b20dac7d0d7e129da http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_mips.deb Size/MD5 checksum: 6053046 43b3f77618248df20870c85301465095 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_mips.deb Size/MD5 checksum: 904490 351bde467510be873c1a2cdc57048523 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_mips.deb Size/MD5 checksum: 15409966 a0332059581d3de6922e9313d6eef676 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_mipsel.deb Size/MD5 checksum: 1446348 46a4c7d996016a4adcf56440b05fef21 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_mipsel.deb Size/MD5 checksum: 5971326 6467ab19215d4e0e45084d3530929683 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_mipsel.deb Size/MD5 checksum: 890130 52b93510c81b7d296074fc4c36a6d847 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_mipsel.deb Size/MD5 checksum: 15105474 1ffe09b6dc5b370067bf337109188a25 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_powerpc.deb Size/MD5 checksum: 1476860 3b5a3a41dcb3744a289e78e3310d1df1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_powerpc.deb Size/MD5 checksum: 6027448 99a562b660721bc4dacd8997de8aab1f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_powerpc.deb Size/MD5 checksum: 907410 9893e547ddfe66215e6bc3da4bf69724 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_powerpc.deb Size/MD5 checksum: 15403210 25c8ae97be006ad171df2f3bdedc72a2 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_s390.deb Size/MD5 checksum: 1538550 b105d416c3bcd7875984cecac926d076 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_s390.deb Size/MD5 checksum: 5461556 00100b922054d9b9c3fc22b3a92b60c7 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_s390.deb Size/MD5 checksum: 884294 37fe2778f39871852f9fa53677cffe2c http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_s390.deb Size/MD5 checksum: 15055516 c22496ba5559e2fbb1f0a37cd889ee0b Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_sparc.deb Size/MD5 checksum: 1460576 f4a2d46769a708b1ef70aa85e2b09277 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_sparc.deb Size/MD5 checksum: 6208040 3dc2de911cc6cbcb4f637bfccbce988a http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_sparc.deb Size/MD5 checksum: 868258 1671384fa14d81404e3af7ffb555073e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_sparc.deb Size/MD5 checksum: 15392304 6d9b9d762aa6088e416c1b987f853e96 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEvBoaXm3vHE4uyloRAjNHAKDYCyylFbJzy7B6HNonbBeY6hQdzACfZvwM StoPTSj1GPfq6J9j5qveWTs= =JCBl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRLxArSh9+71yA2DNAQIrhQQAlC4KIDthFHUl5cxUpBLane3UtkEScRbf bIh6J0LjvhOd3BarictARgXlZ7K6RYs9JOR54IItgawLUfQjkzr5IbVcKYIvWGA7 GB4swkzbQ8M/KrjFmkBZVz1vKlsv1x+jPX/8Irof3MUeaULNkUwr0JdFjT2xtiWW nMNcqBow3Tg= =Ao4S -----END PGP SIGNATURE-----