Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0634 -- [UNIX/Linux][Debian] New MySQL 4.1 packages fix several vulnerabilities 5 September 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mysql-dfsg-4.1 Publisher: Debian Operating System: Debian GNU/Linux 3.1 UNIX variants (UNIX, Linux, OSX) Impact: Inappropriate Access Denial of Service Access: Existing Account CVE Names: CVE-2006-4380 CVE-2006-4226 Original Bulletin: http://www.debian.org/security/2006/dsa-1169 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running MySQL check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1169-1 security@debian.org http://www.debian.org/security/ Martin Schulze September 5th, 2006 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : mysql-dfsg-4.1 Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-4226 CVE-2006-4380 BugTraq ID : 19559 Several local vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4226 Michal Prokopiuk discovered that remote authenticated users are permitted to create and access a database if the lowercase spelling is the same as one they have been granted access to. CVE-2006-4380 Beat Vontobel discovered that certain queries replicated to a slave could crash the client and thus terminate the replication. For the stable distribution (sarge) these problems have been fixed in version 4.1.11a-4sarge7. Version 4.0 is not affected by these problems. For the unstable distribution (sid) these problems have been fixed in version 5.0.24-3. The replication problem only exists in version 4.1. We recommend that you upgrade your mysql-server-4.1 package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge7.dsc Size/MD5 checksum: 1029 f78ce0ba986d5447bb8f97615a256d34 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge7.diff.gz Size/MD5 checksum: 171446 886a2834418b0dbf73f0a24601d6614b http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3 Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge7_all.deb Size/MD5 checksum: 36734 693a8ef06aa29be6cad675de2a6a7f58 Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 1591008 095cb0959a26aa12ba1098ec1527f2f6 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 7965692 2b360e6ce8675de52bf8ac0388b67e88 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 1001216 935a4004111792c92283169faaf27a2b http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 17487402 37fd9a23880da7f6c9d01f582de30b2a AMD64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 1452264 613001b313f49f98b3642fdbb1cefd47 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 5552006 e07c66d2d0775fabe1873b63326f91ce http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 849788 d2ac22320d4990db02c7ef669801f8a9 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 14711714 ff7e791223a16ea3db62bebb61199991 ARM architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 1389010 e78ef65cabee94c4bb980ddba4858101 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 5559036 05d9e88ab7b202066bde6412faa5610e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 837066 2ce1305c8ec4cc9f13180b9643060b5e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 14558032 394408c010fecbd7dd56c189a707c9dc HP Precision architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_hppa.deb Size/MD5 checksum: 1551436 2140033cb49600177d143589a4d5f5e5 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_hppa.deb Size/MD5 checksum: 6250450 2ac95caa193ffe8da3ee5a1f3666a6e9 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_hppa.deb Size/MD5 checksum: 910286 4ea3496ccfcaf43267ac696d82a5b241 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_hppa.deb Size/MD5 checksum: 15791676 0100c389eed339cc92adf996903d325e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_i386.deb Size/MD5 checksum: 1418264 58cb49aa03d8635c6d89fc7a7a4bfeed http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_i386.deb Size/MD5 checksum: 5644334 4d28d754a1b1806a9c884d50507e9bbe http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_i386.deb Size/MD5 checksum: 830950 7591a44d9a2a5113d81724af061553c7 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_i386.deb Size/MD5 checksum: 14558420 5118b4d564821315737f5c36cd76da2a Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_ia64.deb Size/MD5 checksum: 1713606 6947d7391e6eda458e11af75136facec http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_ia64.deb Size/MD5 checksum: 7782698 617e920c805eb801485d9407abea748c http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_ia64.deb Size/MD5 checksum: 1050822 036df024dd1fc33786cc39665e874ca8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_ia64.deb Size/MD5 checksum: 18476104 1ad4add7db75445e9ba57b5675df117a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_m68k.deb Size/MD5 checksum: 1398210 dc9e4c11345095e4fb8d09633e2d3cc1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_m68k.deb Size/MD5 checksum: 5284390 58ceec50857da346c543371d1a7c2cb1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_m68k.deb Size/MD5 checksum: 804080 e8901755fad09fbacff320e695640998 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_m68k.deb Size/MD5 checksum: 14072066 3f2688ab0826890c0ce7c96010059d9d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_mips.deb Size/MD5 checksum: 1479186 0ee29d53649f758a92cd30d34c76ee44 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_mips.deb Size/MD5 checksum: 6053370 325e30177b30512ddfc21b3a29c9ef35 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_mips.deb Size/MD5 checksum: 904744 822028a9dc30c8184fb39e7d3702b584 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_mips.deb Size/MD5 checksum: 15410530 2350cc94b072a7370335920f2b71c00c Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_mipsel.deb Size/MD5 checksum: 1446606 bddf2675d1c6d4612124add24decfb04 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_mipsel.deb Size/MD5 checksum: 5971626 0a9612cf1b841d18528494266e456466 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_mipsel.deb Size/MD5 checksum: 890406 ce87ddbff8e3ccf21ee50b1f1b5ea6af http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_mipsel.deb Size/MD5 checksum: 15105788 e55f9025ab01276e6b56674d3788fc21 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_powerpc.deb Size/MD5 checksum: 1477098 e6e5c35fd56e9c8fb300dbc2c27ce367 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_powerpc.deb Size/MD5 checksum: 6027864 c60d3023d5a353b6f65bd1e0b9eb3acc http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_powerpc.deb Size/MD5 checksum: 907698 197e9976c06dcf131d5ce4a84782ff18 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_powerpc.deb Size/MD5 checksum: 15403250 7294d99a4b1184c27943064d7ea8a2a3 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_s390.deb Size/MD5 checksum: 1538810 7c0ef4dd57c055eb2776e479ccccc30d http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_s390.deb Size/MD5 checksum: 5461924 44b8f22c760e7897986d1ad51a1f43fd http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_s390.deb Size/MD5 checksum: 884554 7a677766c77b2853e5b9732a1c13abc4 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_s390.deb Size/MD5 checksum: 15055448 8577cf00fc82d39b576a6d5f03c9ed10 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_sparc.deb Size/MD5 checksum: 1460740 6b26255d617fef7d78f32ace3d2820ef http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_sparc.deb Size/MD5 checksum: 6208326 e609ca26560489ded95cc1099b76a04c http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_sparc.deb Size/MD5 checksum: 868486 a44ad9b7c9ded79533b610bd0ac36672 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_sparc.deb Size/MD5 checksum: 15392204 2d2de1308dc7ef64dfbf8f47ffe1d2e9 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE/RRdW5ql+IAeqTIRAmLPAJ9TQ1BiNlOGiiXdWSdhA25FgImZ6wCgh4O1 A2dMgrF3UJBBf2R7IJ2n0E8= =UXE7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRP4KTih9+71yA2DNAQLElwP/biDj+TFFfVIKcdVTBLJ98qeG+Cu4PdND vFhQwqZttUegGc4A9x7z+59VbcWpi/aH/TZcjkKc75IZ2RZ9uTWRAIRwZyKWoF4h 2SUG2oUYXUgqc7gM45hL6zyIaKXQPj0UkeJPKW72bhn78ywr28B7O5xDGttbioTr HeIKTb0wTWY= =ZnD2 -----END PGP SIGNATURE-----