-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2006.0634 -- [UNIX/Linux][Debian]
            New MySQL 4.1 packages fix several vulnerabilities
                             5 September 2006

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              mysql-dfsg-4.1
Publisher:            Debian
Operating System:     Debian GNU/Linux 3.1
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Inappropriate Access
                      Denial of Service
Access:               Existing Account
CVE Names:            CVE-2006-4380 CVE-2006-4226

Original Bulletin:    http://www.debian.org/security/2006/dsa-1169

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Debian. It is recommended that administrators
         running MySQL check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1169-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 5th, 2006                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : mysql-dfsg-4.1
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2006-4226 CVE-2006-4380
BugTraq ID     : 19559

Several local vulnerabilities have been discovered in the MySQL
database server.  The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2006-4226

    Michal Prokopiuk discovered that remote authenticated users are
    permitted to create and access a database if the lowercase
    spelling is the same as one they have been granted access to.

CVE-2006-4380

    Beat Vontobel discovered that certain queries replicated to a
    slave could crash the client and thus terminate the replication.

For the stable distribution (sarge) these problems have been fixed in
version 4.1.11a-4sarge7.  Version 4.0 is not affected by these
problems.

For the unstable distribution (sid) these problems have been fixed in
version 5.0.24-3.  The replication problem only exists in version 4.1.

We recommend that you upgrade your mysql-server-4.1 package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge7.dsc
      Size/MD5 checksum:     1029 f78ce0ba986d5447bb8f97615a256d34
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge7.diff.gz
      Size/MD5 checksum:   171446 886a2834418b0dbf73f0a24601d6614b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
      Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge7_all.deb
      Size/MD5 checksum:    36734 693a8ef06aa29be6cad675de2a6a7f58

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_alpha.deb
      Size/MD5 checksum:  1591008 095cb0959a26aa12ba1098ec1527f2f6
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_alpha.deb
      Size/MD5 checksum:  7965692 2b360e6ce8675de52bf8ac0388b67e88
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_alpha.deb
      Size/MD5 checksum:  1001216 935a4004111792c92283169faaf27a2b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_alpha.deb
      Size/MD5 checksum: 17487402 37fd9a23880da7f6c9d01f582de30b2a

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_amd64.deb
      Size/MD5 checksum:  1452264 613001b313f49f98b3642fdbb1cefd47
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_amd64.deb
      Size/MD5 checksum:  5552006 e07c66d2d0775fabe1873b63326f91ce
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_amd64.deb
      Size/MD5 checksum:   849788 d2ac22320d4990db02c7ef669801f8a9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_amd64.deb
      Size/MD5 checksum: 14711714 ff7e791223a16ea3db62bebb61199991

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_arm.deb
      Size/MD5 checksum:  1389010 e78ef65cabee94c4bb980ddba4858101
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_arm.deb
      Size/MD5 checksum:  5559036 05d9e88ab7b202066bde6412faa5610e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_arm.deb
      Size/MD5 checksum:   837066 2ce1305c8ec4cc9f13180b9643060b5e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_arm.deb
      Size/MD5 checksum: 14558032 394408c010fecbd7dd56c189a707c9dc

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_hppa.deb
      Size/MD5 checksum:  1551436 2140033cb49600177d143589a4d5f5e5
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_hppa.deb
      Size/MD5 checksum:  6250450 2ac95caa193ffe8da3ee5a1f3666a6e9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_hppa.deb
      Size/MD5 checksum:   910286 4ea3496ccfcaf43267ac696d82a5b241
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_hppa.deb
      Size/MD5 checksum: 15791676 0100c389eed339cc92adf996903d325e

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_i386.deb
      Size/MD5 checksum:  1418264 58cb49aa03d8635c6d89fc7a7a4bfeed
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_i386.deb
      Size/MD5 checksum:  5644334 4d28d754a1b1806a9c884d50507e9bbe
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_i386.deb
      Size/MD5 checksum:   830950 7591a44d9a2a5113d81724af061553c7
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_i386.deb
      Size/MD5 checksum: 14558420 5118b4d564821315737f5c36cd76da2a

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_ia64.deb
      Size/MD5 checksum:  1713606 6947d7391e6eda458e11af75136facec
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_ia64.deb
      Size/MD5 checksum:  7782698 617e920c805eb801485d9407abea748c
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_ia64.deb
      Size/MD5 checksum:  1050822 036df024dd1fc33786cc39665e874ca8
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_ia64.deb
      Size/MD5 checksum: 18476104 1ad4add7db75445e9ba57b5675df117a

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_m68k.deb
      Size/MD5 checksum:  1398210 dc9e4c11345095e4fb8d09633e2d3cc1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_m68k.deb
      Size/MD5 checksum:  5284390 58ceec50857da346c543371d1a7c2cb1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_m68k.deb
      Size/MD5 checksum:   804080 e8901755fad09fbacff320e695640998
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_m68k.deb
      Size/MD5 checksum: 14072066 3f2688ab0826890c0ce7c96010059d9d

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_mips.deb
      Size/MD5 checksum:  1479186 0ee29d53649f758a92cd30d34c76ee44
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_mips.deb
      Size/MD5 checksum:  6053370 325e30177b30512ddfc21b3a29c9ef35
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_mips.deb
      Size/MD5 checksum:   904744 822028a9dc30c8184fb39e7d3702b584
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_mips.deb
      Size/MD5 checksum: 15410530 2350cc94b072a7370335920f2b71c00c

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_mipsel.deb
      Size/MD5 checksum:  1446606 bddf2675d1c6d4612124add24decfb04
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_mipsel.deb
      Size/MD5 checksum:  5971626 0a9612cf1b841d18528494266e456466
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_mipsel.deb
      Size/MD5 checksum:   890406 ce87ddbff8e3ccf21ee50b1f1b5ea6af
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_mipsel.deb
      Size/MD5 checksum: 15105788 e55f9025ab01276e6b56674d3788fc21

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_powerpc.deb
      Size/MD5 checksum:  1477098 e6e5c35fd56e9c8fb300dbc2c27ce367
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_powerpc.deb
      Size/MD5 checksum:  6027864 c60d3023d5a353b6f65bd1e0b9eb3acc
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_powerpc.deb
      Size/MD5 checksum:   907698 197e9976c06dcf131d5ce4a84782ff18
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_powerpc.deb
      Size/MD5 checksum: 15403250 7294d99a4b1184c27943064d7ea8a2a3

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_s390.deb
      Size/MD5 checksum:  1538810 7c0ef4dd57c055eb2776e479ccccc30d
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_s390.deb
      Size/MD5 checksum:  5461924 44b8f22c760e7897986d1ad51a1f43fd
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_s390.deb
      Size/MD5 checksum:   884554 7a677766c77b2853e5b9732a1c13abc4
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_s390.deb
      Size/MD5 checksum: 15055448 8577cf00fc82d39b576a6d5f03c9ed10

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_sparc.deb
      Size/MD5 checksum:  1460740 6b26255d617fef7d78f32ace3d2820ef
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_sparc.deb
      Size/MD5 checksum:  6208326 e609ca26560489ded95cc1099b76a04c
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_sparc.deb
      Size/MD5 checksum:   868486 a44ad9b7c9ded79533b610bd0ac36672
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_sparc.deb
      Size/MD5 checksum: 15392204 2d2de1308dc7ef64dfbf8f47ffe1d2e9


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE/RRdW5ql+IAeqTIRAmLPAJ9TQ1BiNlOGiiXdWSdhA25FgImZ6wCgh4O1
A2dMgrF3UJBBf2R7IJ2n0E8=
=UXE7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRP4KTih9+71yA2DNAQLElwP/biDj+TFFfVIKcdVTBLJ98qeG+Cu4PdND
vFhQwqZttUegGc4A9x7z+59VbcWpi/aH/TZcjkKc75IZ2RZ9uTWRAIRwZyKWoF4h
2SUG2oUYXUgqc7gM45hL6zyIaKXQPj0UkeJPKW72bhn78ywr28B7O5xDGttbioTr
HeIKTb0wTWY=
=ZnD2
-----END PGP SIGNATURE-----