Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0222 -- [RedHat]
Moderate: mysql security update
5 April 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mysql
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux 4
Impact: Inappropriate Access
Access: Existing Account
CVE Names: CVE-2006-4226
Ref: ESB-2006.0757
Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-0152.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Moderate: mysql security update
Advisory ID: RHSA-2007:0152-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0152.html
Issue date: 2007-04-03
Updated on: 2007-04-03
Product: Red Hat Enterprise Linux
CVE Names: CVE-2006-4226
- - ---------------------------------------------------------------------
1. Summary:
Updated mysql packages that fix a security flaw are now available for Red
Hat Enterprise Linux 4.
This update has been rated as having moderate security impact by the Red Hat
Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
3. Problem description:
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld) and
many different client programs and libraries.
A flaw was found in the way MySQL handled case sensitive database names. A
user with the ability to create databases could gain unauthorized access to
other databases hosted by the MySQL server. (CVE-2006-4226)
This flaw does not affect the version of MySQL distributed with Red Hat
Enterprise Linux 2.1, 3, or 5.
All users of the MySQL server are advised to upgrade to these updated
packages, which contain a backported patch which fixes this issue.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
203426 - CVE-2006-4226 mysql-server create database privilege escalation
6. RPMs required:
Red Hat Enterprise Linux AS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm
6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm
i386:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm
8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm
ia64:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
e8b5e4be135fcfe41ec0c17b9b7454c9 mysql-4.1.20-2.RHEL4.1.ia64.rpm
729494527ddbc0baba8d3bfdcb7c9fb1 mysql-bench-4.1.20-2.RHEL4.1.ia64.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
e92361c5b92c1d05922dada1120cd70e mysql-debuginfo-4.1.20-2.RHEL4.1.ia64.rpm
be0d10aec73081c39fea2936a7e6247c mysql-devel-4.1.20-2.RHEL4.1.ia64.rpm
cbd5e40ade56eee5725a78089dadbfcd mysql-server-4.1.20-2.RHEL4.1.ia64.rpm
ppc:
06050350191dcfa02bf1992a172c89ff mysql-4.1.20-2.RHEL4.1.ppc.rpm
67828e4ea169bca5117cd259e23f3d0b mysql-4.1.20-2.RHEL4.1.ppc64.rpm
e09f97506031cd8c3c0f1cec6ff86afb mysql-bench-4.1.20-2.RHEL4.1.ppc.rpm
8d437be16b17ae77cbf6dc9fdf7ce172 mysql-debuginfo-4.1.20-2.RHEL4.1.ppc.rpm
b8ba95488bd27738f3ecc7a5233208e7 mysql-debuginfo-4.1.20-2.RHEL4.1.ppc64.rpm
ada8633133ee7733144a70ce606f1608 mysql-devel-4.1.20-2.RHEL4.1.ppc.rpm
ddd7c96555967d2e620420e7ca5c4bde mysql-server-4.1.20-2.RHEL4.1.ppc.rpm
s390:
7437a06a1fe40799113d55cb2528be69 mysql-4.1.20-2.RHEL4.1.s390.rpm
77a0e7b3538c9a0b4bd036031a5beff0 mysql-bench-4.1.20-2.RHEL4.1.s390.rpm
e9595c7729c31128b2158e3dfc287db4 mysql-debuginfo-4.1.20-2.RHEL4.1.s390.rpm
063e45c5005e7495d5412cff0ce10479 mysql-devel-4.1.20-2.RHEL4.1.s390.rpm
15a47f88b75f3a1106c001364e9089db mysql-server-4.1.20-2.RHEL4.1.s390.rpm
s390x:
7437a06a1fe40799113d55cb2528be69 mysql-4.1.20-2.RHEL4.1.s390.rpm
84a23520166f1724152a7011ac5acc6d mysql-4.1.20-2.RHEL4.1.s390x.rpm
92ed2bd7d10af251091ce1328d61d882 mysql-bench-4.1.20-2.RHEL4.1.s390x.rpm
e9595c7729c31128b2158e3dfc287db4 mysql-debuginfo-4.1.20-2.RHEL4.1.s390.rpm
a5f6f194b648479fdfe55ba29e82aec4 mysql-debuginfo-4.1.20-2.RHEL4.1.s390x.rpm
002e3124325cb7e56cf95aa23a12200e mysql-devel-4.1.20-2.RHEL4.1.s390x.rpm
142afd7330c2963edb92eaf40511ddb6 mysql-server-4.1.20-2.RHEL4.1.s390x.rpm
x86_64:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm
29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm
fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm
da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm
6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm
i386:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm
8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm
x86_64:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm
29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm
fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm
da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm
6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm
i386:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm
8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm
ia64:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
e8b5e4be135fcfe41ec0c17b9b7454c9 mysql-4.1.20-2.RHEL4.1.ia64.rpm
729494527ddbc0baba8d3bfdcb7c9fb1 mysql-bench-4.1.20-2.RHEL4.1.ia64.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
e92361c5b92c1d05922dada1120cd70e mysql-debuginfo-4.1.20-2.RHEL4.1.ia64.rpm
be0d10aec73081c39fea2936a7e6247c mysql-devel-4.1.20-2.RHEL4.1.ia64.rpm
cbd5e40ade56eee5725a78089dadbfcd mysql-server-4.1.20-2.RHEL4.1.ia64.rpm
x86_64:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm
29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm
fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm
da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/mysql-4.1.20-2.RHEL4.1.src.rpm
6c7f8075f117be3e16833db1169c084a mysql-4.1.20-2.RHEL4.1.src.rpm
i386:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
826c5a83fc373d25d3cf5fd59b66a4a0 mysql-bench-4.1.20-2.RHEL4.1.i386.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
87a1443bb37a3db76bd81ef225ad43c0 mysql-devel-4.1.20-2.RHEL4.1.i386.rpm
8b01c92ea2bddffe3eae6b3da54d41dc mysql-server-4.1.20-2.RHEL4.1.i386.rpm
ia64:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
e8b5e4be135fcfe41ec0c17b9b7454c9 mysql-4.1.20-2.RHEL4.1.ia64.rpm
729494527ddbc0baba8d3bfdcb7c9fb1 mysql-bench-4.1.20-2.RHEL4.1.ia64.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
e92361c5b92c1d05922dada1120cd70e mysql-debuginfo-4.1.20-2.RHEL4.1.ia64.rpm
be0d10aec73081c39fea2936a7e6247c mysql-devel-4.1.20-2.RHEL4.1.ia64.rpm
cbd5e40ade56eee5725a78089dadbfcd mysql-server-4.1.20-2.RHEL4.1.ia64.rpm
x86_64:
e8da68fdd73da636b0d13d0704a187bf mysql-4.1.20-2.RHEL4.1.i386.rpm
a1634953cd1be078a0af0e0b8c42b50e mysql-4.1.20-2.RHEL4.1.x86_64.rpm
29275638e0c420d8d859b087155db196 mysql-bench-4.1.20-2.RHEL4.1.x86_64.rpm
c73b4413942dfdab4a263e58fddbbebb mysql-debuginfo-4.1.20-2.RHEL4.1.i386.rpm
fc1c8fd9dda6c6b07a1d7a7b05b0a8b1 mysql-debuginfo-4.1.20-2.RHEL4.1.x86_64.rpm
fe4593105f2cb95aeaad60bd11b5bbad mysql-devel-4.1.20-2.RHEL4.1.x86_64.rpm
da55ebb822229a8c15660c763737dff8 mysql-server-4.1.20-2.RHEL4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4226
http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFGEqhvXlSAg2UNWIIRAsu/AJkBvWWY6ZkPsYJzWHb/z4QXAiik5QCgqXAY
7U/kz8zFWpEB2qVjCAG5ZOs=
=uwHp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRhQ8LCh9+71yA2DNAQKTQAP/Y/vtd+cKeEds2UjSnoP/Bprv9v8CHPZE
+rnFOFz+i/zDmDgiTUnDBFtTxj1MA8xT4h82M7ru1fdjQB5JL+0JiRp14tbVOWGp
LiS9ZlZNvwShabHaOdFTKBjHhfxkZKD4QGFYQWBupUD+l4OtUIQ2C98D+wcTbNtR
ZpIrZu1xprk=
=1A4K
-----END PGP SIGNATURE-----