Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0222 -- [RedHat] Moderate: mysql security update 5 April 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mysql Publisher: Red Hat Operating System: Red Hat Enterprise Linux 4 Impact: Inappropriate Access Access: Existing Account CVE Names: CVE-2006-4226 Ref: ESB-2006.0757 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-0152.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Moderate: mysql security update Advisory ID: RHSA-2007:0152-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0152.html Issue date: 2007-04-03 Updated on: 2007-04-03 Product: Red Hat Enterprise Linux CVE Names: CVE-2006-4226 - - --------------------------------------------------------------------- 1. Summary: Updated mysql packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way MySQL handled case sensitive database names. A user with the ability to create databases could gain unauthorized access to other databases hosted by the MySQL server. (CVE-2006-4226) This flaw does not affect the version of MySQL distributed with Red Hat Enterprise Linux 2.1, 3, or 5. All users of the MySQL server are advised to upgrade to these updated packages, which contain a backported patch which fixes this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 203426 - CVE-2006-4226 mysql-server create database privilege escalation 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm 6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm i386: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm 826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm 87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm 8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm ia64: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm e8b5e4be135fcfe41ec0c17b9b7454c9 mysql-4.1.20-2.RHEL4.1.ia64.rpm 729494527ddbc0baba8d3bfdcb7c9fb1 mysql-bench-4.1.20-2.RHEL4.1.ia64.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm e92361c5b92c1d05922dada1120cd70e mysql-debuginfo-4.1.20-2.RHEL4.1.ia64.rpm be0d10aec73081c39fea2936a7e6247c mysql-devel-4.1.20-2.RHEL4.1.ia64.rpm cbd5e40ade56eee5725a78089dadbfcd mysql-server-4.1.20-2.RHEL4.1.ia64.rpm ppc: 06050350191dcfa02bf1992a172c89ff mysql-4.1.20-2.RHEL4.1.ppc.rpm 67828e4ea169bca5117cd259e23f3d0b mysql-4.1.20-2.RHEL4.1.ppc64.rpm e09f97506031cd8c3c0f1cec6ff86afb mysql-bench-4.1.20-2.RHEL4.1.ppc.rpm 8d437be16b17ae77cbf6dc9fdf7ce172 mysql-debuginfo-4.1.20-2.RHEL4.1.ppc.rpm b8ba95488bd27738f3ecc7a5233208e7 mysql-debuginfo-4.1.20-2.RHEL4.1.ppc64.rpm ada8633133ee7733144a70ce606f1608 mysql-devel-4.1.20-2.RHEL4.1.ppc.rpm ddd7c96555967d2e620420e7ca5c4bde mysql-server-4.1.20-2.RHEL4.1.ppc.rpm s390: 7437a06a1fe40799113d55cb2528be69 mysql-4.1.20-2.RHEL4.1.s390.rpm 77a0e7b3538c9a0b4bd036031a5beff0 mysql-bench-4.1.20-2.RHEL4.1.s390.rpm e9595c7729c31128b2158e3dfc287db4 mysql-debuginfo-4.1.20-2.RHEL4.1.s390.rpm 063e45c5005e7495d5412cff0ce10479 mysql-devel-4.1.20-2.RHEL4.1.s390.rpm 15a47f88b75f3a1106c001364e9089db mysql-server-4.1.20-2.RHEL4.1.s390.rpm s390x: 7437a06a1fe40799113d55cb2528be69 mysql-4.1.20-2.RHEL4.1.s390.rpm 84a23520166f1724152a7011ac5acc6d mysql-4.1.20-2.RHEL4.1.s390x.rpm 92ed2bd7d10af251091ce1328d61d882 mysql-bench-4.1.20-2.RHEL4.1.s390x.rpm e9595c7729c31128b2158e3dfc287db4 mysql-debuginfo-4.1.20-2.RHEL4.1.s390.rpm a5f6f194b648479fdfe55ba29e82aec4 mysql-debuginfo-4.1.20-2.RHEL4.1.s390x.rpm 002e3124325cb7e56cf95aa23a12200e mysql-devel-4.1.20-2.RHEL4.1.s390x.rpm 142afd7330c2963edb92eaf40511ddb6 mysql-server-4.1.20-2.RHEL4.1.s390x.rpm x86_64: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm 29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm 6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm i386: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm 826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm 87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm 8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm x86_64: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm 29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm 6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm i386: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm 826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm 87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm 8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm ia64: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm e8b5e4be135fcfe41ec0c17b9b7454c9 mysql-4.1.20-2.RHEL4.1.ia64.rpm 729494527ddbc0baba8d3bfdcb7c9fb1 mysql-bench-4.1.20-2.RHEL4.1.ia64.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm e92361c5b92c1d05922dada1120cd70e mysql-debuginfo-4.1.20-2.RHEL4.1.ia64.rpm be0d10aec73081c39fea2936a7e6247c mysql-devel-4.1.20-2.RHEL4.1.ia64.rpm cbd5e40ade56eee5725a78089dadbfcd mysql-server-4.1.20-2.RHEL4.1.ia64.rpm x86_64: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm 29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm 6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm i386: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm 826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm 87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm 8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm ia64: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm e8b5e4be135fcfe41ec0c17b9b7454c9 mysql-4.1.20-2.RHEL4.1.ia64.rpm 729494527ddbc0baba8d3bfdcb7c9fb1 mysql-bench-4.1.20-2.RHEL4.1.ia64.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm e92361c5b92c1d05922dada1120cd70e mysql-debuginfo-4.1.20-2.RHEL4.1.ia64.rpm be0d10aec73081c39fea2936a7e6247c mysql-devel-4.1.20-2.RHEL4.1.ia64.rpm cbd5e40ade56eee5725a78089dadbfcd mysql-server-4.1.20-2.RHEL4.1.ia64.rpm x86_64: e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm 29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4226 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFGEqhvXlSAg2UNWIIRAsu/AJkBvWWY6ZkPsYJzWHb/z4QXAiik5QCgqXAY 7U/kz8zFWpEB2qVjCAG5ZOs= =uwHp - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRhQ8LCh9+71yA2DNAQKTQAP/Y/vtd+cKeEds2UjSnoP/Bprv9v8CHPZE +rnFOFz+i/zDmDgiTUnDBFtTxj1MA8xT4h82M7ru1fdjQB5JL+0JiRp14tbVOWGp LiS9ZlZNvwShabHaOdFTKBjHhfxkZKD4QGFYQWBupUD+l4OtUIQ2C98D+wcTbNtR ZpIrZu1xprk= =1A4K -----END PGP SIGNATURE-----