exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2009-326

Mandriva Linux Security Advisory 2009-326
Posted Dec 7, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-326 - Multiple vulnerabilities has been found and corrected in mysql. Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides fixes for this vulnerability.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2008-3963, CVE-2008-4098, CVE-2008-4456, CVE-2009-2446
SHA-256 | 9206e9b5ad62079eab88cd261aeacc324cd78e7b929cb7e7acc5a4a3cfdb79cb

Mandriva Linux Security Advisory 2009-326

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:326
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mysql
Date : December 7, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in mysql:

MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6
does not properly handle a b'' (b single-quote single-quote) token,
aka an empty bit-string literal, which allows remote attackers to
cause a denial of service (daemon crash) by using this token in a
SQL statement (CVE-2008-3963).

MySQL before 5.0.67 allows local users to bypass certain privilege
checks by calling CREATE TABLE on a MyISAM table with modified (1)
DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally
associated with pathnames without symlinks, and that can point to
tables created at a future time at which a pathname is modified
to contain a symlink to a subdirectory of the MySQL home data
directory. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2008-4097 (CVE-2008-4098).

Cross-site scripting (XSS) vulnerability in the command-line client
in MySQL 5.0.26 through 5.0.45, when the --html option is enabled,
allows attackers to inject arbitrary web script or HTML by placing
it in a database cell, which might be accessed by this client when
composing an HTML document (CVE-2008-4456).

Multiple format string vulnerabilities in the dispatch_command function
in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow
remote authenticated users to cause a denial of service (daemon crash)
and possibly have unspecified other impact via format string specifiers
in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request.
NOTE: some of these details are obtained from third party information
(CVE-2009-2446).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update provides fixes for this vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2446
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
ae69b85b696ede452665a3dfe40d602b 2008.0/i586/libmysql15-5.0.45-8.3mdv2008.0.i586.rpm
f6eb37fb5cc75b4d1a49de76a4342f6a 2008.0/i586/libmysql-devel-5.0.45-8.3mdv2008.0.i586.rpm
7175d70122ba697194ed1adf6e29d37d 2008.0/i586/libmysql-static-devel-5.0.45-8.3mdv2008.0.i586.rpm
495bc59b243e7d6eda09c275cf593d5d 2008.0/i586/mysql-5.0.45-8.3mdv2008.0.i586.rpm
1a6a5f377487543980d05b0d34e9343c 2008.0/i586/mysql-bench-5.0.45-8.3mdv2008.0.i586.rpm
ba4598db2f067bda0d921fb26da64d96 2008.0/i586/mysql-client-5.0.45-8.3mdv2008.0.i586.rpm
170a4609fa3ed65ddcc8e5956bcb5f11 2008.0/i586/mysql-common-5.0.45-8.3mdv2008.0.i586.rpm
68174419ca38e88f87658d11475e716d 2008.0/i586/mysql-max-5.0.45-8.3mdv2008.0.i586.rpm
2e47c7e45fb2188a5b4a552c23edfaf9 2008.0/i586/mysql-ndb-extra-5.0.45-8.3mdv2008.0.i586.rpm
19d0e06501b511c09288d75042180e0b 2008.0/i586/mysql-ndb-management-5.0.45-8.3mdv2008.0.i586.rpm
87815967c743b1a2c8190b1e34a28542 2008.0/i586/mysql-ndb-storage-5.0.45-8.3mdv2008.0.i586.rpm
be119a2c13e9fb93cf7a9dd82b22093f 2008.0/i586/mysql-ndb-tools-5.0.45-8.3mdv2008.0.i586.rpm
1647467195a43409ee289a2704002608 2008.0/SRPMS/mysql-5.0.45-8.3mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
8786523fc4ee663a61b030925a7649d4 2008.0/x86_64/lib64mysql15-5.0.45-8.3mdv2008.0.x86_64.rpm
e7969bf96906ed7683f76956d5968bc0 2008.0/x86_64/lib64mysql-devel-5.0.45-8.3mdv2008.0.x86_64.rpm
42c3ba27aafb73dc87e7acef4eab36ff 2008.0/x86_64/lib64mysql-static-devel-5.0.45-8.3mdv2008.0.x86_64.rpm
a0873f40a53e858bdc454b5aa01b8a7d 2008.0/x86_64/mysql-5.0.45-8.3mdv2008.0.x86_64.rpm
89a89bd97458ba99030ea004ecce409d 2008.0/x86_64/mysql-bench-5.0.45-8.3mdv2008.0.x86_64.rpm
0df3ab344e021bac5f6fe9eefbe64be8 2008.0/x86_64/mysql-client-5.0.45-8.3mdv2008.0.x86_64.rpm
7472bf5a811f542ce1e3f5461e286714 2008.0/x86_64/mysql-common-5.0.45-8.3mdv2008.0.x86_64.rpm
3f25583feb0e1220c66fda0b7ed52908 2008.0/x86_64/mysql-max-5.0.45-8.3mdv2008.0.x86_64.rpm
037b7240a17de717678e10ca059b07eb 2008.0/x86_64/mysql-ndb-extra-5.0.45-8.3mdv2008.0.x86_64.rpm
85383feff8a90555a5f8f64cb396f82d 2008.0/x86_64/mysql-ndb-management-5.0.45-8.3mdv2008.0.x86_64.rpm
c316aef02e214d360eb024dfc5f7dc35 2008.0/x86_64/mysql-ndb-storage-5.0.45-8.3mdv2008.0.x86_64.rpm
ec3058c1c790dd02c03826f868ff1077 2008.0/x86_64/mysql-ndb-tools-5.0.45-8.3mdv2008.0.x86_64.rpm
1647467195a43409ee289a2704002608 2008.0/SRPMS/mysql-5.0.45-8.3mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLHUZrmqjQ0CJFipgRAuOCAKDadso9P/SJZs5C+mFlnD2o38JvqACfcwR/
WVeC8UQYdZooaHXDObQjgSs=
=31aR
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close