Search...

SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)

2010-10-11T00:00:00

ID SUSE_MYSQL-6899.NASL
Type nessus
Reporter Tenable
Modified 2016-12-22T00:00:00

Description

This update fixes various security issues (bnc#557669) :

upstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The text description of this plugin is (C) Novell, Inc.
#

if (NASL_LEVEL &lt; 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(49903);
  script_version ("$Revision: 1.7 $");
  script_cvs_date("$Date: 2016/12/22 20:42:28 $");

  script_cve_id("CVE-2008-7247", "CVE-2009-4019", "CVE-2009-4028", "CVE-2009-4030", "CVE-2009-4484");

  script_name(english:"SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 10 host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update fixes various security issues (bnc#557669) :

upstream #47320 - checking server certificates (CVE-2009-4028)
upstream #48291 - error handling in subqueries (CVE-2009-4019)
upstream #47780 - preserving null_value flag in GeomFromWKB()
(CVE-2009-4019) upstream #39277 - symlink behaviour fixed
(CVE-2008-7247) upstream #32167 - symlink behaviour refixed
(CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2008-7247.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2009-4019.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2009-4028.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2009-4030.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2009-4484.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 6899.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MySQL yaSSL CertDecoder::GetName Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(20, 59, 119);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/03/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/11");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
if (cpu &gt;!&lt; "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");


flag = 0;
if (rpm_check(release:"SLED10", sp:3, reference:"mysql-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLED10", sp:3, reference:"mysql-client-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLED10", sp:3, reference:"mysql-devel-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLED10", sp:3, reference:"mysql-shared-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"mysql-shared-32bit-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLES10", sp:3, reference:"mysql-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLES10", sp:3, reference:"mysql-Max-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLES10", sp:3, reference:"mysql-client-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLES10", sp:3, reference:"mysql-devel-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLES10", sp:3, reference:"mysql-shared-5.0.26-12.28.1")) flag++;
if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"mysql-shared-32bit-5.0.26-12.28.1")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else exit(0, "The host is not affected.");

JSON Vulners Source

Initial Source

{"published": "2010-10-11T00:00:00", "id": "SUSE_MYSQL-6899.NASL", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [{"differentElements": ["cpe"], "edition": 2, "lastseen": "2016-12-23T06:13:08", "bulletin": {"enchantments": {}, "published": "2010-10-11T00:00:00", "id": "SUSE_MYSQL-6899.NASL", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "cpe": [], "hash": "2155c2997b0c40bb7c386d8dd231185f8aa6a714874fd6358db95d0be60353be", "description": "This update fixes various security issues (bnc#557669) :\n\nupstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)", "type": "nessus", "pluginID": "49903", "lastseen": "2016-12-23T06:13:08", "edition": 2, "title": "SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=49903", "modified": "2016-12-22T00:00:00", "bulletinFamily": "scanner", "viewCount": 3, "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2008-7247", "CVE-2009-4019", "CVE-2009-4484"], "references": ["http://support.novell.com/security/cve/CVE-2009-4028.html", "http://support.novell.com/security/cve/CVE-2009-4030.html", "http://support.novell.com/security/cve/CVE-2008-7247.html", "http://support.novell.com/security/cve/CVE-2009-4019.html", "http://support.novell.com/security/cve/CVE-2009-4484.html"], "naslFamily": "SuSE Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49903);\n script_version (\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2016/12/22 20:42:28 $\");\n\n script_cve_id(\"CVE-2008-7247\", \"CVE-2009-4019\", \"CVE-2009-4028\", \"CVE-2009-4030\", \"CVE-2009-4484\");\n\n script_name(english:\"SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes various security issues (bnc#557669) :\n\nupstream #47320 - checking server certificates (CVE-2009-4028)\nupstream #48291 - error handling in subqueries (CVE-2009-4019)\nupstream #47780 - preserving null_value flag in GeomFromWKB()\n(CVE-2009-4019) upstream #39277 - symlink behaviour fixed\n(CVE-2008-7247) upstream #32167 - symlink behaviour refixed\n(CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-7247.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4030.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4484.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6899.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MySQL yaSSL CertDecoder::GetName Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 59, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-client-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-devel-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-shared-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"mysql-shared-32bit-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-Max-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-client-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-devel-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-shared-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"mysql-shared-32bit-5.0.26-12.28.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "hashmap": [{"hash": "66351ad22b3edabb9c5dcb202bbaec23", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "4a37aa23936005ccc24cd059b2201f23", "key": "modified"}, {"hash": "8e480b65a0278725c8a9b0c60a153bdc", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "ba6ad3b38f39b2c1b193e55e01b2e92d", "key": "published"}, {"hash": "0373d09d9ebef7b05f21dfd825770d70", "key": "href"}, {"hash": "e3b9d698886a0ffbff560a72edb69a1d", "key": "sourceData"}, {"hash": "b344ef74db5656387514a570b7c816ef", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "63ecfeecf3e17999303d8d6dca5af891", "key": "references"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "86201a15aee5bedd72cde46225d40eda", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "objectVersion": "1.2"}}, {"differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:26:07", "bulletin": {"published": "2010-10-11T00:00:00", "id": "SUSE_MYSQL-6899.NASL", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "hash": "be5f02fab54726964cd3c805dd13204fd896a3687fadb3eb60d32ae5c374fda4", "description": "This update fixes various security issues (bnc#557669) :\n\nupstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)", "type": "nessus", "pluginID": "49903", "lastseen": "2016-09-26T17:26:07", "edition": 1, "title": "SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=49903", "modified": "2012-05-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2008-7247", "CVE-2009-4019", "CVE-2009-4484"], "references": ["http://support.novell.com/security/cve/CVE-2009-4028.html", "http://support.novell.com/security/cve/CVE-2009-4030.html", "http://support.novell.com/security/cve/CVE-2008-7247.html", "http://support.novell.com/security/cve/CVE-2009-4019.html", "http://support.novell.com/security/cve/CVE-2009-4484.html"], "naslFamily": "SuSE Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49903);\n script_version (\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2012/05/17 11:20:15 $\");\n\n script_cve_id(\"CVE-2008-7247\", \"CVE-2009-4019\", \"CVE-2009-4028\", \"CVE-2009-4030\", \"CVE-2009-4484\");\n\n script_name(english:\"SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes various security issues (bnc#557669) :\n\nupstream #47320 - checking server certificates (CVE-2009-4028)\nupstream #48291 - error handling in subqueries (CVE-2009-4019)\nupstream #47780 - preserving null_value flag in GeomFromWKB()\n(CVE-2009-4019) upstream #39277 - symlink behaviour fixed\n(CVE-2008-7247) upstream #32167 - symlink behaviour refixed\n(CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-7247.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4030.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4484.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6899.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MySQL yaSSL CertDecoder::GetName Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2012 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-client-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-devel-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-shared-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"mysql-shared-32bit-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-Max-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-client-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-devel-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-shared-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"mysql-shared-32bit-5.0.26-12.28.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "hashmap": [{"hash": "66351ad22b3edabb9c5dcb202bbaec23", "key": "description"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "45271c8be8a5a23a442ed93eebf1a4b7", "key": "sourceData"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8e480b65a0278725c8a9b0c60a153bdc", "key": "cvelist"}, {"hash": "ba6ad3b38f39b2c1b193e55e01b2e92d", "key": "published"}, {"hash": "0373d09d9ebef7b05f21dfd825770d70", "key": "href"}, {"hash": "2c14bc201ff403deced3aba2df959f24", "key": "cvss"}, {"hash": "b344ef74db5656387514a570b7c816ef", "key": "pluginID"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3226e7dd58d5fddf2d55637b2e3a0ec7", "key": "modified"}, {"hash": "63ecfeecf3e17999303d8d6dca5af891", "key": "references"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "86201a15aee5bedd72cde46225d40eda", "key": "title"}], "objectVersion": "1.2"}}], "description": "This update fixes various security issues (bnc#557669) :\n\nupstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)", "hash": "b421a8b16bb03acf361aad4f3ffc4205ac7a2c210754ade5e43ad481e46a8b2f", "enchantments": {"vulnersScore": 7.5}, "type": "nessus", "pluginID": "49903", "lastseen": "2017-10-29T13:43:40", "edition": 3, "cpe": ["cpe:/o:suse:suse_linux"], "title": "SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=49903", "modified": "2016-12-22T00:00:00", "bulletinFamily": "scanner", "viewCount": 3, "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2008-7247", "CVE-2009-4019", "CVE-2009-4484"], "references": ["http://support.novell.com/security/cve/CVE-2009-4028.html", "http://support.novell.com/security/cve/CVE-2009-4030.html", "http://support.novell.com/security/cve/CVE-2008-7247.html", "http://support.novell.com/security/cve/CVE-2009-4019.html", "http://support.novell.com/security/cve/CVE-2009-4484.html"], "naslFamily": "SuSE Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49903);\n script_version (\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2016/12/22 20:42:28 $\");\n\n script_cve_id(\"CVE-2008-7247\", \"CVE-2009-4019\", \"CVE-2009-4028\", \"CVE-2009-4030\", \"CVE-2009-4484\");\n\n script_name(english:\"SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes various security issues (bnc#557669) :\n\nupstream #47320 - checking server certificates (CVE-2009-4028)\nupstream #48291 - error handling in subqueries (CVE-2009-4019)\nupstream #47780 - preserving null_value flag in GeomFromWKB()\n(CVE-2009-4019) upstream #39277 - symlink behaviour fixed\n(CVE-2008-7247) upstream #32167 - symlink behaviour refixed\n(CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-7247.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4030.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4484.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6899.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MySQL yaSSL CertDecoder::GetName Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 59, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-client-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-devel-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mysql-shared-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"mysql-shared-32bit-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-Max-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-client-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-devel-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mysql-shared-5.0.26-12.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"mysql-shared-32bit-5.0.26-12.28.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "3138d89b276fab4c175caf5f2b1e5bfc", "key": "cpe"}, {"hash": "8e480b65a0278725c8a9b0c60a153bdc", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "66351ad22b3edabb9c5dcb202bbaec23", "key": "description"}, {"hash": "0373d09d9ebef7b05f21dfd825770d70", "key": "href"}, {"hash": "4a37aa23936005ccc24cd059b2201f23", "key": "modified"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "b344ef74db5656387514a570b7c816ef", "key": "pluginID"}, {"hash": "ba6ad3b38f39b2c1b193e55e01b2e92d", "key": "published"}, {"hash": "63ecfeecf3e17999303d8d6dca5af891", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e3b9d698886a0ffbff560a72edb69a1d", "key": "sourceData"}, {"hash": "86201a15aee5bedd72cde46225d40eda", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "objectVersion": "1.3"}

{"result": {"cve": [{"id": "CVE-2009-4030", "type": "cve", "title": "CVE-2009-4030", "description": "MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.", "published": "2009-11-30T12:30:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4030", "cvelist": ["CVE-2009-4030"], "lastseen": "2018-01-05T12:19:53"}, {"id": "CVE-2009-4028", "type": "cve", "title": "CVE-2009-4028", "description": "The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.", "published": "2009-11-30T12:30:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4028", "cvelist": ["CVE-2009-4028"], "lastseen": "2017-09-19T13:36:42"}, {"id": "CVE-2008-7247", "type": "cve", "title": "CVE-2008-7247", "description": "sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticated users to bypass intended access restrictions by calling CREATE TABLE with a (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a subdirectory that requires following this symlink.", "published": "2009-11-30T12:30:00", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7247", "cvelist": ["CVE-2008-7247"], "lastseen": "2018-01-05T12:19:39"}, {"id": "CVE-2009-4019", "type": "cve", "title": "CVE-2009-4019", "description": "mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.", "published": "2009-11-30T12:30:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4019", "cvelist": ["CVE-2009-4019"], "lastseen": "2018-01-05T12:19:53"}, {"id": "CVE-2009-4484", "type": "cve", "title": "CVE-2009-4484", "description": "Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.", "published": "2009-12-30T16:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4484", "cvelist": ["CVE-2009-4484"], "lastseen": "2018-01-05T12:19:55"}], "openvas": [{"id": "OPENVAS:1361412562310801066", "type": "openvas", "title": "MySQL Authenticated Access Restrictions Bypass Vulnerability", "description": "The host is running MySQL and is prone to Access restrictions Bypass\n Vulnerability", "published": "2009-12-04T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801066", "cvelist": ["CVE-2009-4030"], "lastseen": "2017-07-02T21:14:13"}, {"id": "OPENVAS:1361412562310100356", "type": "openvas", "title": "MySQL multiple Vulnerabilities", "description": "MySQL is prone to a security-bypass vulnerability and to to a local\nprivilege-escalation vulnerability.\n\nAn attacker can exploit the security-bypass issue to bypass certain\nsecurity restrictions and obtain sensitive information that may lead\nto further attacks.\n\nLocal attackers can exploit the local privilege-escalation issue to\ngain elevated privileges on the affected computer.\n\nVersions prior to MySQL 5.1.41 are vulnerable.", "published": "2009-11-20T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100356", "cvelist": ["CVE-2009-4030"], "lastseen": "2017-07-02T21:13:49"}, {"id": "OPENVAS:1361412562310123757", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0121", "description": "Oracle Linux Local Security Checks ELSA-2013-0121", "published": "2015-10-06T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123757", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2017-07-24T12:52:54"}, {"id": "OPENVAS:1361412562310881559", "type": "openvas", "title": "CentOS Update for mysql CESA-2013:0121 centos5 ", "description": "Check for the Version of mysql", "published": "2013-01-21T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881559", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2018-04-06T11:21:16"}, {"id": "OPENVAS:870888", "type": "openvas", "title": "RedHat Update for mysql RHSA-2013:0121-01", "description": "Check for the Version of mysql", "published": "2013-01-11T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870888", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2017-07-27T10:51:53"}, {"id": "OPENVAS:881559", "type": "openvas", "title": "CentOS Update for mysql CESA-2013:0121 centos5 ", "description": "Check for the Version of mysql", "published": "2013-01-21T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881559", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2018-01-26T11:09:31"}, {"id": "OPENVAS:1361412562310870888", "type": "openvas", "title": "RedHat Update for mysql RHSA-2013:0121-01", "description": "Check for the Version of mysql", "published": "2013-01-11T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870888", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2018-04-09T11:24:26"}, {"id": "OPENVAS:1361412562310122394", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2010-0109", "description": "Oracle Linux Local Security Checks ELSA-2010-0109", "published": "2015-10-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122394", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2009-4019"], "lastseen": "2017-07-24T12:52:17"}, {"id": "OPENVAS:830806", "type": "openvas", "title": "Mandriva Update for mysql MDVSA-2010:012 (mysql)", "description": "Check for the Version of mysql", "published": "2010-01-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=830806", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2008-4098", "CVE-2008-2079", "CVE-2009-4019"], "lastseen": "2018-01-02T10:54:32"}, {"id": "OPENVAS:870216", "type": "openvas", "title": "RedHat Update for mysql RHSA-2010:0109-01", "description": "Check for the Version of mysql", "published": "2010-02-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870216", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2008-4098", "CVE-2008-2079", "CVE-2009-4019"], "lastseen": "2017-12-12T11:10:42"}], "seebug": [{"id": "SSV:15007", "type": "seebug", "title": "MySQL MyISAM\u8868\u7b26\u53f7\u94fe\u63a5\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "description": "BUGTRAQ ID: 37075\r\nCVE ID: CVE-2009-4030\r\n\r\nMySQL\u662f\u4e00\u6b3e\u4f7f\u7528\u975e\u5e38\u5e7f\u6cdb\u7684\u5f00\u653e\u6e90\u4ee3\u7801\u5173\u7cfb\u6570\u636e\u5e93\u7cfb\u7edf\uff0c\u62e5\u6709\u5404\u79cd\u5e73\u53f0\u7684\u8fd0\u884c\u7248\u672c\u3002\r\n\r\nMySQL\u5141\u8bb8\u672c\u5730\u7528\u6237\u901a\u8fc7\u5bf9MyISAM\u8868\u8c03\u7528CREATE TABLE\u7ed5\u8fc7\u67d0\u4e9b\u6743\u9650\u68c0\u67e5\u3002\u5728\u901a\u8fc7\u4ee5\u4e0b\u65b9\u5f0f\u521b\u5efaMyISAM\u8868\u65f6\uff1a\r\n\r\n CREATE TABLE ( ) DATA DIRECTORY ... INDEX DIRECTORY ...\r\n\r\n\u7531\u4e8e\u6ca1\u6709\u7279\u522b\u7684\u68c0\u67e5\u786e\u4fdd\u5df2\u6709\u7684\u8868\u683c\u4e0d\u4f1a\u88ab\u7b26\u53f7\u94fe\u63a5\u8986\u76d6\uff0c\u7528\u6237\u53ef\u4ee5\u5728test\u6570\u636e\u5e93\u4e2d\u521b\u5efauser\u8868\u683c\uff0cDATA DIRECTORY\u6307\u5411mysql\u6570\u636e\u5e93\u3002\u8fd9\u4e2a\u6f0f\u6d1e\u4e0emysql_unpacked_real_data_home\u503c\u7684\u9519\u8bef\u8ba1\u7b97\u65b9\u5f0f\u6709\u5173\u3002\n\nMySQL AB MySQL 5.1.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMySQL AB\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://lists.mysql.com/commits/38278", "published": "2009-12-02T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-15007", "cvelist": ["CVE-2009-4030"], "lastseen": "2017-11-19T18:27:53"}, {"id": "SSV:19118", "type": "seebug", "title": "MySQL vulnerabilities", "description": "No description provided by source.", "published": "2010-02-13T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-19118", "cvelist": ["CVE-2008-4098", "CVE-2008-4456", "CVE-2008-7247", "CVE-2009-2446", "CVE-2009-4019", "CVE-2009-4030", "CVE-2009-4484"], "lastseen": "2017-11-19T18:15:11"}, {"id": "SSV:15006", "type": "seebug", "title": "MySQL OpenSSL\u5ba2\u6237\u7aef\u7ed5\u8fc7yaSSL\u670d\u52a1\u5668\u8bc1\u4e66\u9a8c\u8bc1\u6f0f\u6d1e", "description": "BUGTRAQ ID: 37076\r\nCVE ID: CVE-2009-4028\r\n\r\nMySQL\u662f\u4e00\u6b3e\u4f7f\u7528\u975e\u5e38\u5e7f\u6cdb\u7684\u5f00\u653e\u6e90\u4ee3\u7801\u5173\u7cfb\u6570\u636e\u5e93\u7cfb\u7edf\uff0c\u62e5\u6709\u5404\u79cd\u5e73\u53f0\u7684\u8fd0\u884c\u7248\u672c\u3002\r\n\r\n\u5728\u4f7f\u7528OpenSSL\u7684\u65f6\u5019\uff0cMySQL\u7684viosslfactories.c\u6587\u4ef6\u4e2d\u7684vio_verify_callback\u51fd\u6570\u53ef\u4ee5\u63a5\u53d7\u6df1\u5ea6\u4e3a0\u7684X.509\u8bc1\u4e66\uff1a\r\n\r\nvio_verify_callback() at viosslfactories.c:\r\n\r\n /*\r\n Approve cert if depth is greater then "verify_depth", currently\r\n verify_depth is always 0 and there is no way to increase it.\r\n */\r\n if (verify_depth >= depth)\r\n ok= 1;\r\n\r\n\u63d0\u4f9b\u4e86\u7279\u5236\u8bc1\u4e66\u7684\u57fa\u4e8eSSL MySQL\u6570\u636e\u5e93\u53ef\u4ee5\u6267\u884c\u4e2d\u95f4\u4eba\u653b\u51fb\u3002\n\nMySQL AB MySQL 5.1.x \r\nMySQL AB MySQL 5.0.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMySQL AB\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://lists.mysql.com/commits/87446", "published": "2009-12-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-15006", "cvelist": ["CVE-2009-4028"], "lastseen": "2017-11-19T18:28:25"}, {"id": "SSV:15004", "type": "seebug", "title": "MySQL CREATE TABLE\u8c03\u7528\u7ed5\u8fc7\u8bbf\u95ee\u9650\u5236\u6f0f\u6d1e", "description": "CVE ID: CVE-2008-7247\r\n\r\nMySQL\u662f\u4e00\u6b3e\u4f7f\u7528\u975e\u5e38\u5e7f\u6cdb\u7684\u5f00\u653e\u6e90\u4ee3\u7801\u5173\u7cfb\u6570\u636e\u5e93\u7cfb\u7edf\uff0c\u62e5\u6709\u5404\u79cd\u5e73\u53f0\u7684\u8fd0\u884c\u7248\u672c\u3002\r\n\r\n\u5f53\u6570\u636e\u4e3b\u76ee\u5f55\u5305\u542b\u6709\u5230\u4e0d\u540c\u6587\u4ef6\u7cfb\u7edf\u7684\u7b26\u53f7\u94fe\u63a5\u65f6\uff0cMySQL\u7684ql/sql_table.cc\u5141\u8bb8\u901a\u8fc7\u8ba4\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u4ee5\u7279\u6b8aDATA DIRECTORY\u6216INDEX DIRECTORY\u53c2\u6570\u8c03\u7528CREATE TABLE\u7ed5\u8fc7\u9884\u671f\u7684\u8bbf\u95ee\u9650\u5236\uff0c\u6267\u884c\u5404\u79cd\u975e\u6388\u6743\u64cd\u4f5c\u3002\n\nMySQL AB MySQL 6.0 \r\nMySQL AB MySQL 5.1.x \r\nMySQL AB MySQL 5.0.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMySQL AB\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://lists.mysql.com/commits/59711", "published": "2009-12-02T00:00:00", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-15004", "cvelist": ["CVE-2008-7247"], "lastseen": "2017-11-19T18:27:52"}, {"id": "SSV:15090", "type": "seebug", "title": "MySQL\u591a\u4e2a\u7578\u5f62SQL\u64cd\u4f5c\u5904\u7406\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "description": "BUGTRAQ ID: 37297\r\nCVE ID: CVE-2009-4019\r\n\r\nMySQL\u662f\u4e00\u6b3e\u4f7f\u7528\u975e\u5e38\u5e7f\u6cdb\u7684\u5f00\u653e\u6e90\u4ee3\u7801\u5173\u7cfb\u6570\u636e\u5e93\u7cfb\u7edf\uff0c\u62e5\u6709\u5404\u79cd\u5e73\u53f0\u7684\u8fd0\u884c\u7248\u672c\u3002\r\n\r\nMySQL\u7684\u5728\u5904\u7406\u7279\u5b9a\u7684SQL\u64cd\u4f5c\u65f6\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u672c\u5730\u6216\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u670d\u52a1\u5668\u5d29\u6e83\u3002\n\nMySQL AB MySQL 6.0.x\r\nMySQL AB MySQL 5.1.x \r\nMySQL AB MySQL 5.0.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMySQL AB\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.mysql.com/", "published": "2009-12-17T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-15090", "cvelist": ["CVE-2009-4019"], "lastseen": "2017-11-19T18:25:02"}, {"id": "SSV:15005", "type": "seebug", "title": "MySQL SELECT\u8bed\u53e5\u5904\u7406\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "description": "CVE ID: CVE-2009-4019\r\n\r\nMySQL\u662f\u4e00\u6b3e\u4f7f\u7528\u975e\u5e38\u5e7f\u6cdb\u7684\u5f00\u653e\u6e90\u4ee3\u7801\u5173\u7cfb\u6570\u636e\u5e93\u7cfb\u7edf\uff0c\u62e5\u6709\u5404\u79cd\u5e73\u53f0\u7684\u8fd0\u884c\u7248\u672c\u3002\r\n\r\nMySQL\u7684mysqld\u5b88\u62a4\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u5730\u5904\u7406\u5728\u6267\u884c\u67d0\u4e9b\u5e26\u6709\u5b50\u67e5\u8be2\u7684SELECT\u8bed\u53e5\u671f\u95f4\u6240\u4ea7\u751f\u7684\u9519\u8bef\uff0c\u5728\u6267\u884c\u4f7f\u7528GeomFromWKB\u51fd\u6570\u7684\u8bed\u53e5\u671f\u95f4\u6ca1\u6709\u4fdd\u7559\u67d0\u4e9bnull_value\u6807\u8bb0\uff0c\u8fd9\u5141\u8bb8\u901a\u8fc7\u8ba4\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u63d0\u4ea4\u7279\u5236\u8bed\u53e5\u5bfc\u81f4\u5b88\u62a4\u7a0b\u5e8f\u5d29\u6e83\u3002\n\nMySQL AB MySQL 5.1.x \r\nMySQL AB MySQL 5.0.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMySQL AB\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://lists.mysql.com/commits/88409\r\nhttp://lists.mysql.com/commits/87482", "published": "2009-12-02T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-15005", "cvelist": ["CVE-2009-4019"], "lastseen": "2017-11-19T18:27:52"}], "nessus": [{"id": "SL_20130108_MYSQL_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : mysql on SL5.x i386/x86_64", "description": "It was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the 'datadir' option was configured with a relative path, was incorrectly removed when the mysql packages in Scientific Linux 5 were updated to version 5.0.95 via SLSA-2012:0127. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix for CVE-2009-4030.\n(CVE-2012-4452)\n\nNote: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were disabled as described in SLSA-2010:0109 (by adding 'symbolic-links=0' to the '[mysqld]' section of the 'my.cnf' configuration file), users were not vulnerable to this issue.\n\nThis update also fixes the following bugs :\n\n - Prior to this update, the log file path in the logrotate script did not behave as expected. As a consequence, the logrotate function failed to rotate the '/var/log/mysqld.log' file. This update modifies the logrotate script to allow rotating the mysqld.log file.\n\n - Prior to this update, the mysqld daemon could fail when using the EXPLAIN flag in prepared statement mode. This update modifies the underlying code to handle the EXPLAIN flag as expected.\n\n - Prior to this update, the mysqld init script could wrongly report that mysql server startup failed when the server was actually started. This update modifies the init script to report the status of the mysqld server as expected.\n\n - Prior to this update, the '--enable-profiling' option was by default disabled. This update enables the profiling feature.\n\nAfter installing this update, the MySQL server daemon (mysqld) will be restarted automatically.", "published": "2013-01-17T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63599", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2017-10-29T13:34:55"}, {"id": "ORACLELINUX_ELSA-2013-0121.NASL", "type": "nessus", "title": "Oracle Linux 5 : mysql (ELSA-2013-0121)", "description": "From Red Hat Security Advisory 2013:0121 :\n\nUpdated mysql packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nMySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.\n\nIt was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the 'datadir' option was configured with a relative path, was incorrectly removed when the mysql packages in Red Hat Enterprise Linux 5 were updated to version 5.0.95 via RHSA-2012:0127. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix for CVE-2009-4030.\n(CVE-2012-4452)\n\nNote: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were disabled as described in RHSA-2010:0109 (by adding 'symbolic-links=0' to the '[mysqld]' section of the 'my.cnf' configuration file), users were not vulnerable to this issue.\n\nThis issue was discovered by Karel Volny of the Red Hat Quality Engineering team.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the log file path in the logrotate script did not behave as expected. As a consequence, the logrotate function failed to rotate the '/var/log/mysqld.log' file. This update modifies the logrotate script to allow rotating the mysqld.log file.\n(BZ#647223)\n\n* Prior to this update, the mysqld daemon could fail when using the EXPLAIN flag in prepared statement mode. This update modifies the underlying code to handle the EXPLAIN flag as expected. (BZ#654000)\n\n* Prior to this update, the mysqld init script could wrongly report that mysql server startup failed when the server was actually started.\nThis update modifies the init script to report the status of the mysqld server as expected. (BZ#703476)\n\n* Prior to this update, the '--enable-profiling' option was by default disabled. This update enables the profiling feature. (BZ#806365)\n\nAll MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.", "published": "2013-07-12T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68692", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2017-10-29T13:45:20"}, {"id": "MYSQL_5_0_95_CREATE_TABLE_BYPASS.NASL", "type": "nessus", "title": "MySQL 5.0.95 MyISAM Table Symbolic Link Local Restriction Bypass", "description": "The version of MySQL installed may be affected by a symlink-related restriction bypass vulnerability due to a CVE-2009-4030 regression fix being removed in a RedHat 5.0.95 package. \n\nNote that this flaw has no impact if the default basedir and datadir configuration values are unchanged.", "published": "2012-11-15T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=62927", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2017-10-29T13:38:28"}, {"id": "REDHAT-RHSA-2013-0121.NASL", "type": "nessus", "title": "RHEL 5 : mysql (RHSA-2013:0121)", "description": "Updated mysql packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nMySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.\n\nIt was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the 'datadir' option was configured with a relative path, was incorrectly removed when the mysql packages in Red Hat Enterprise Linux 5 were updated to version 5.0.95 via RHSA-2012:0127. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix for CVE-2009-4030.\n(CVE-2012-4452)\n\nNote: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were disabled as described in RHSA-2010:0109 (by adding 'symbolic-links=0' to the '[mysqld]' section of the 'my.cnf' configuration file), users were not vulnerable to this issue.\n\nThis issue was discovered by Karel Volny of the Red Hat Quality Engineering team.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the log file path in the logrotate script did not behave as expected. As a consequence, the logrotate function failed to rotate the '/var/log/mysqld.log' file. This update modifies the logrotate script to allow rotating the mysqld.log file.\n(BZ#647223)\n\n* Prior to this update, the mysqld daemon could fail when using the EXPLAIN flag in prepared statement mode. This update modifies the underlying code to handle the EXPLAIN flag as expected. (BZ#654000)\n\n* Prior to this update, the mysqld init script could wrongly report that mysql server startup failed when the server was actually started.\nThis update modifies the init script to report the status of the mysqld server as expected. (BZ#703476)\n\n* Prior to this update, the '--enable-profiling' option was by default disabled. This update enables the profiling feature. (BZ#806365)\n\nAll MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.", "published": "2013-01-08T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63404", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2017-10-29T13:34:08"}, {"id": "CENTOS_RHSA-2013-0121.NASL", "type": "nessus", "title": "CentOS 5 : mysql (CESA-2013:0121)", "description": "Updated mysql packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nMySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.\n\nIt was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the 'datadir' option was configured with a relative path, was incorrectly removed when the mysql packages in Red Hat Enterprise Linux 5 were updated to version 5.0.95 via RHSA-2012:0127. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix for CVE-2009-4030.\n(CVE-2012-4452)\n\nNote: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were disabled as described in RHSA-2010:0109 (by adding 'symbolic-links=0' to the '[mysqld]' section of the 'my.cnf' configuration file), users were not vulnerable to this issue.\n\nThis issue was discovered by Karel Volny of the Red Hat Quality Engineering team.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the log file path in the logrotate script did not behave as expected. As a consequence, the logrotate function failed to rotate the '/var/log/mysqld.log' file. This update modifies the logrotate script to allow rotating the mysqld.log file.\n(BZ#647223)\n\n* Prior to this update, the mysqld daemon could fail when using the EXPLAIN flag in prepared statement mode. This update modifies the underlying code to handle the EXPLAIN flag as expected. (BZ#654000)\n\n* Prior to this update, the mysqld init script could wrongly report that mysql server startup failed when the server was actually started.\nThis update modifies the init script to report the status of the mysqld server as expected. (BZ#703476)\n\n* Prior to this update, the '--enable-profiling' option was by default disabled. This update enables the profiling feature. (BZ#806365)\n\nAll MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.", "published": "2013-01-17T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63566", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2017-10-29T13:35:08"}, {"id": "DEBIAN_DSA-1997.NASL", "type": "nessus", "title": "Debian DSA-1997-1 : mysql-dfsg-5.0 - several vulnerabilities", "description": "Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2009-4019 Domas Mituzas discovered that mysqld does not properly handle errors during execution of certain SELECT statements with subqueries, and does not preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.\n\n - CVE-2009-4030 Sergei Golubchik discovered that MySQL allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory.\n\n - CVE-2009-4484 Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field.", "published": "2010-02-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44861", "cvelist": ["CVE-2009-4030", "CVE-2009-4019", "CVE-2009-4484"], "lastseen": "2017-10-29T13:34:35"}, {"id": "MANDRIVA_MDVSA-2010-011.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : mysql (MDVSA-2010:011)", "description": "Multiple vulnerabilities has been found and corrected in mysql :\n\nmysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement (CVE-2009-4019).\n\nThe vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library (CVE-2009-4028).\n\nMySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079 (CVE-2009-4030).\n\nPackages for 2008.0 are provided for Corporate Desktop 2008.0 customers.\n\nThe updated packages have been patched to correct these issues.\nAdditionally for 2009.0 and MES5 mysql has also been upgraded to the last stable 5.0 release (5.0.89).", "published": "2010-01-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44043", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2009-4019"], "lastseen": "2017-10-29T13:34:57"}, {"id": "MANDRIVA_MDVSA-2010-012.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : mysql (MDVSA-2010:012)", "description": "Multiple vulnerabilities has been found and corrected in mysql :\n\nmysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement (CVE-2009-4019).\n\nThe vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library (CVE-2009-4028).\n\nMySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079 (CVE-2009-4030).\n\nThe updated packages have been patched to correct these issues.\nAdditionally for 2009.1 and 2010.0 mysql has also been upgraded to the latest stable 5.1 release (5.1.42).", "published": "2010-07-30T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=48166", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2009-4019"], "lastseen": "2017-10-29T13:37:19"}, {"id": "SUSE_11_0_LIBMYSQLCLIENT-DEVEL-091216.NASL", "type": "nessus", "title": "openSUSE Security Update : libmysqlclient-devel (openSUSE-SU-2010:0198-1)", "description": "This update fixes several security issues in mysql :\n\n - checking server certificates (CVE-2009-4028)\n\n - error handling in subqueries (CVE-2009-4019)\n\n - preserving null_value flag in GeomFromWKB (CVE-2009-4019)\n\n - symlink behavior fixed (CVE-2008-7247)\n\n - symlink behavior refixed (CVE-2009-4030)", "published": "2010-05-04T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=46218", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2008-7247", "CVE-2009-4019"], "lastseen": "2017-10-29T13:34:29"}, {"id": "SUSE_11_2_LIBMYSQLCLIENT-DEVEL-091215.NASL", "type": "nessus", "title": "openSUSE Security Update : libmysqlclient-devel (openSUSE-SU-2010:0198-1)", "description": "This update fixes several security issues in mysql :\n\n - checking server certificates (CVE-2009-4028)\n\n - error handling in subqueries (CVE-2009-4019)\n\n - preserving null_value flag in GeomFromWKB (CVE-2009-4019)\n\n - symlink behavior fixed (CVE-2008-7247)\n\n - symlink behavior refixed (CVE-2009-4030)", "published": "2010-05-04T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=46220", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2008-7247", "CVE-2009-4019"], "lastseen": "2017-10-29T13:41:35"}], "oraclelinux": [{"id": "ELSA-2013-0121", "type": "oraclelinux", "title": "mysql security and bug fix update", "description": "[5.0.95-3]\r\n- Re-add patch for CVE-2009-4030, mistakenly removed in 5.0.95 rebase\r\nResolves: CVE-2012-4452\r\n \n[5.0.95-2]\r\n- Support rotation of mysqld log (though this is not enabled by default)\r\nResolves: #647223\r\n- Fix crash with EXPLAIN and prepared statements\r\nResolves: #654000\r\n- Adopt init script updates from the last Fedora init script (F-15)\r\nResolves: #703476", "published": "2013-01-11T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-0121.html", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2016-09-04T11:16:20"}, {"id": "ELSA-2010-0109", "type": "oraclelinux", "title": "mysql security update", "description": "[5.0.77-4.2]\n- Add fixes for CVE-2009-4019, CVE-2009-4028, CVE-2009-4030\nResolves: #556505\n- Use non-expired certificates for SSL testing (upstream bug 50702)\n- Emit explicit error message if user tries to build RPM as root\n- Add comment suggesting disabling symbolic links in /etc/my.cnf ", "published": "2010-02-16T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0109.html", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2009-4019"], "lastseen": "2016-09-04T11:17:14"}, {"id": "ELSA-2010-0110", "type": "oraclelinux", "title": "mysql security update", "description": "[4.1.22-2.el4.3]\n- Add comment suggesting disabling symbolic links in /etc/my.cnf\n[4.1.22-2.el4.2]\n- Add fixes for CVE-2008-4098, CVE-2009-4030 (two successive attempts to fix\n DATA/INDEX DIRECTORY vulnerabilities) and CVE-2008-4456 (mysql command line\n client XSS flaw)\nResolves: #512255\n[4.1.22-2.el4.1]\n- Add fix for CVE-2009-2446 (format string vulnerability in COM_CREATE_DB and\n COM_DROP_DB processing)\nResolves: #512255 ", "published": "2010-02-16T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0110.html", "cvelist": ["CVE-2009-2446", "CVE-2008-4456", "CVE-2009-4030", "CVE-2008-4098"], "lastseen": "2016-09-04T11:16:23"}], "centos": [{"id": "CESA-2013:0121", "type": "centos", "title": "mysql security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:0121\n\n\nMySQL is a multi-user, multi-threaded SQL database server. It consists of\nthe MySQL server daemon (mysqld) and many client programs and libraries.\n\nIt was found that the fix for the CVE-2009-4030 issue, a flaw in the way\nMySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX\nDIRECTORY directives when the \"datadir\" option was configured with a\nrelative path, was incorrectly removed when the mysql packages in Red Hat\nEnterprise Linux 5 were updated to version 5.0.95 via RHSA-2012:0127. An\nauthenticated attacker could use this flaw to bypass the restriction\npreventing the use of subdirectories of the MySQL data directory being used\nas DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix\nfor CVE-2009-4030. (CVE-2012-4452)\n\nNote: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were\ndisabled as described in RHSA-2010:0109 (by adding \"symbolic-links=0\" to\nthe \"[mysqld]\" section of the \"my.cnf\" configuration file), users were not\nvulnerable to this issue.\n\nThis issue was discovered by Karel Volny of the Red Hat Quality Engineering\nteam.\n\nThis update also fixes the following bugs:\n\n* Prior to this update, the log file path in the logrotate script did not\nbehave as expected. As a consequence, the logrotate function failed to\nrotate the \"/var/log/mysqld.log\" file. This update modifies the logrotate\nscript to allow rotating the mysqld.log file. (BZ#647223)\n\n* Prior to this update, the mysqld daemon could fail when using the EXPLAIN\nflag in prepared statement mode. This update modifies the underlying code\nto handle the EXPLAIN flag as expected. (BZ#654000)\n\n* Prior to this update, the mysqld init script could wrongly report that\nmysql server startup failed when the server was actually started. This\nupdate modifies the init script to report the status of the mysqld server\nas expected. (BZ#703476)\n\n* Prior to this update, the \"--enable-profiling\" option was by default\ndisabled. This update enables the profiling feature. (BZ#806365)\n\nAll MySQL users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing this\nupdate, the MySQL server daemon (mysqld) will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2013-January/000403.html\n\n**Affected packages:**\nmysql\nmysql-bench\nmysql-devel\nmysql-server\nmysql-test\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0121.html", "published": "2013-01-11T13:18:41", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2013-January/000403.html", "cvelist": ["CVE-2012-4452", "CVE-2009-4030"], "lastseen": "2018-04-04T13:00:02"}, {"id": "CESA-2010:0109", "type": "centos", "title": "mysql security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:0109\n\n\nMySQL is a multi-user, multi-threaded SQL database server. It consists of\nthe MySQL server daemon (mysqld) and many client programs and libraries.\n\nIt was discovered that the MySQL client ignored certain SSL certificate\nverification errors when connecting to servers. A man-in-the-middle\nattacker could use this flaw to trick MySQL clients into connecting to a\nspoofed MySQL server. (CVE-2009-4028)\n\nNote: This fix may uncover previously hidden SSL configuration issues, such\nas incorrect CA certificates being used by clients or expired server\ncertificates. This update should be carefully tested in deployments where\nSSL connections are used.\n\nA flaw was found in the way MySQL handled SELECT statements with subqueries\nin the WHERE clause, that assigned results to a user variable. A remote,\nauthenticated attacker could use this flaw to crash the MySQL server daemon\n(mysqld). This issue only caused a temporary denial of service, as the\nMySQL daemon was automatically restarted after the crash. (CVE-2009-4019)\n\nWhen the \"datadir\" option was configured with a relative path, MySQL did\nnot properly check paths used as arguments for the DATA DIRECTORY and INDEX\nDIRECTORY directives. An authenticated attacker could use this flaw to\nbypass the restriction preventing the use of subdirectories of the MySQL\ndata directory being used as DATA DIRECTORY and INDEX DIRECTORY paths.\n(CVE-2009-4030)\n\nNote: Due to the security risks and previous security issues related to the\nuse of the DATA DIRECTORY and INDEX DIRECTORY directives, users not\ndepending on this feature should consider disabling it by adding\n\"symbolic-links=0\" to the \"[mysqld]\" section of the \"my.cnf\" configuration\nfile. In this update, an example of such a configuration was added to the\ndefault \"my.cnf\" file.\n\nAll MySQL users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing this\nupdate, the MySQL server daemon (mysqld) will be restarted automatically.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-March/016527.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-March/016528.html\n\n**Affected packages:**\nmysql\nmysql-bench\nmysql-devel\nmysql-server\nmysql-test\n\n**Upstream details at:**\n", "published": "2010-03-01T18:43:17", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2010-March/016527.html", "cvelist": ["CVE-2009-4030", "CVE-2009-4028", "CVE-2009-4019"], "lastseen": "2017-10-03T18:24:36"}, {"id": "CESA-2010:0110", "type": "centos", "title": "mysql security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:0110\n\n\nMySQL is a multi-user, multi-threaded SQL database server. It consists of\nthe MySQL server daemon (mysqld) and many client programs and libraries.\n\nMultiple flaws were discovered in the way MySQL handled symbolic links to\ntables created using the DATA DIRECTORY and INDEX DIRECTORY directives in\nCREATE TABLE statements. An attacker with CREATE and DROP table privileges\nand shell access to the database server could use these flaws to escalate\ntheir database privileges, or gain access to tables created by other\ndatabase users. (CVE-2008-4098, CVE-2009-4030)\n\nNote: Due to the security risks and previous security issues related to the\nuse of the DATA DIRECTORY and INDEX DIRECTORY directives, users not\ndepending on this feature should consider disabling it by adding\n\"symbolic-links=0\" to the \"[mysqld]\" section of the \"my.cnf\" configuration\nfile. In this update, an example of such a configuration was added to the\ndefault \"my.cnf\" file.\n\nAn insufficient HTML entities quoting flaw was found in the mysql command\nline client's HTML output mode. If an attacker was able to inject arbitrary\nHTML tags into data stored in a MySQL database, which was later retrieved\nusing the mysql command line client and its HTML output mode, they could\nperform a cross-site scripting (XSS) attack against victims viewing the\nHTML output in a web browser. (CVE-2008-4456)\n\nMultiple format string flaws were found in the way the MySQL server logged\nuser commands when creating and deleting databases. A remote, authenticated\nattacker with permissions to CREATE and DROP databases could use these\nflaws to formulate a specially-crafted SQL command that would cause a\ntemporary denial of service (open connections to mysqld are terminated).\n(CVE-2009-2446)\n\nNote: To exploit the CVE-2009-2446 flaws, the general query log (the mysqld\n\"--log\" command line option or the \"log\" option in \"my.cnf\") must be\nenabled. This logging is not enabled by default.\n\nAll MySQL users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing this\nupdate, the MySQL server daemon (mysqld) will be restarted automatically.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016501.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016502.html\n\n**Affected packages:**\nmysql\nmysql-bench\nmysql-devel\nmysql-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0110.html", "published": "2010-02-17T16:42:25", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2010-February/016501.html", "cvelist": ["CVE-2009-2446", "CVE-2008-4456", "CVE-2009-4030", "CVE-2008-4098"], "lastseen": "2017-10-03T18:24:26"}], "redhat": [{"id": "RHSA-2013:0121", "type": "redhat", "title": "(RHSA-2013:0121) Low: mysql security and bug fix update", "description": "MySQL is a multi-user, multi-threaded SQL database server. It consists of\nthe MySQL server daemon (mysqld) and many client programs and libraries.\n\nIt was found that the fix for the CVE-2009-4030 issue, a flaw in the way\nMySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX\nDIRECTORY directives when the \"datadir\" option was configured with a\nrelative path, was incorrectly removed when the mysql packages in Red Hat\nEnterprise Linux 5 were updated to version 5.0.95 via RHSA-2012:0127. An\nauthenticated attacker could use this flaw to bypass the restriction\npreventing the use of subdirectories of the MySQL data directory being used\nas DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix\nfor CVE-2009-4030. (CVE-2012-4452)\n\nNote: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were\ndisabled as described in RHSA-2010:0109 (by adding \"symbolic-links=0\" to\nthe \"[mysqld]\" section of the \"my.cnf\" configuration file), users were not\nvulnerable to this issue.\n\nThis issue was discovered by Karel Volny of the Red Hat Quality Engineering\nteam.\n\nThis update also fixes the following bugs:\n\n* Prior to this update, the log file path in the logrotate script did not\nbehave as expected. As a consequence, the logrotate function failed to\nrotate the \"/var/log/mysqld.log\" file. This update modifies the logrotate\nscript to allow rotating the mysqld.log file. (BZ#647223)\n\n* Prior to this update, the mysqld daemon could fail when using the EXPLAIN\nflag in prepared statement mode. This update modifies the underlying code\nto handle the EXPLAIN flag as expected. (BZ#654000)\n\n* Prior to this update, the mysqld init script could wrongly report that\nmysql server startup failed when the server was actually started. This\nupdate modifies the init script to report the status of the mysqld server\nas expected. (BZ#703476)\n\n* Prior to this update, the \"--enable-profiling\" option was by default\ndisabled. This update enables the profiling feature. (BZ#806365)\n\nAll MySQL users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing this\nupdate, the MySQL server daemon (mysqld) will be restarted automatically.\n", "published": "2013-01-08T05:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0121", "cvelist": ["CVE-2009-4030", "CVE-2012-4452"], "lastseen": "2017-09-09T07:19:53"}, {"id": "RHSA-2010:0109", "type": "redhat", "title": "(RHSA-2010:0109) Moderate: mysql security update", "description": "MySQL is a multi-user, multi-threaded SQL database server. It consists of\nthe MySQL server daemon (mysqld) and many client programs and libraries.\n\nIt was discovered that the MySQL client ignored certain SSL certificate\nverification errors when connecting to servers. A man-in-the-middle\nattacker could use this flaw to trick MySQL clients into connecting to a\nspoofed MySQL server. (CVE-2009-4028)\n\nNote: This fix may uncover previously hidden SSL configuration issues, such\nas incorrect CA certificates being used by clients or expired server\ncertificates. This update should be carefully tested in deployments where\nSSL connections are used.\n\nA flaw was found in the way MySQL handled SELECT statements with subqueries\nin the WHERE clause, that assigned results to a user variable. A remote,\nauthenticated attacker could use this flaw to crash the MySQL server daemon\n(mysqld). This issue only caused a temporary denial of service, as the\nMySQL daemon was automatically restarted after the crash. (CVE-2009-4019)\n\nWhen the \"datadir\" option was configured with a relative path, MySQL did\nnot properly check paths used as arguments for the DATA DIRECTORY and INDEX\nDIRECTORY directives. An authenticated attacker could use this flaw to\nbypass the restriction preventing the use of subdirectories of the MySQL\ndata directory being used as DATA DIRECTORY and INDEX DIRECTORY paths.\n(CVE-2009-4030)\n\nNote: Due to the security risks and previous security issues related to the\nuse of the DATA DIRECTORY and INDEX DIRECTORY directives, users not\ndepending on this feature should consider disabling it by adding\n\"symbolic-links=0\" to the \"[mysqld]\" section of the \"my.cnf\" configuration\nfile. In this update, an example of such a configuration was added to the\ndefault \"my.cnf\" file.\n\nAll MySQL users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing this\nupdate, the MySQL server daemon (mysqld) will be restarted automatically.", "published": "2010-02-16T05:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0109", "cvelist": ["CVE-2009-4019", "CVE-2009-4028", "CVE-2009-4030"], "lastseen": "2017-09-09T07:20:01"}, {"id": "RHSA-2010:0110", "type": "redhat", "title": "(RHSA-2010:0110) Moderate: mysql security update", "description": "MySQL is a multi-user, multi-threaded SQL database server. It consists of\nthe MySQL server daemon (mysqld) and many client programs and libraries.\n\nMultiple flaws were discovered in the way MySQL handled symbolic links to\ntables created using the DATA DIRECTORY and INDEX DIRECTORY directives in\nCREATE TABLE statements. An attacker with CREATE and DROP table privileges\nand shell access to the database server could use these flaws to escalate\ntheir database privileges, or gain access to tables created by other\ndatabase users. (CVE-2008-4098, CVE-2009-4030)\n\nNote: Due to the security risks and previous security issues related to the\nuse of the DATA DIRECTORY and INDEX DIRECTORY directives, users not\ndepending on this feature should consider disabling it by adding\n\"symbolic-links=0\" to the \"[mysqld]\" section of the \"my.cnf\" configuration\nfile. In this update, an example of such a configuration was added to the\ndefault \"my.cnf\" file.\n\nAn insufficient HTML entities quoting flaw was found in the mysql command\nline client's HTML output mode. If an attacker was able to inject arbitrary\nHTML tags into data stored in a MySQL database, which was later retrieved\nusing the mysql command line client and its HTML output mode, they could\nperform a cross-site scripting (XSS) attack against victims viewing the\nHTML output in a web browser. (CVE-2008-4456)\n\nMultiple format string flaws were found in the way the MySQL server logged\nuser commands when creating and deleting databases. A remote, authenticated\nattacker with permissions to CREATE and DROP databases could use these\nflaws to formulate a specially-crafted SQL command that would cause a\ntemporary denial of service (open connections to mysqld are terminated).\n(CVE-2009-2446)\n\nNote: To exploit the CVE-2009-2446 flaws, the general query log (the mysqld\n\"--log\" command line option or the \"log\" option in \"my.cnf\") must be\nenabled. This logging is not enabled by default.\n\nAll MySQL users are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues. After installing this\nupdate, the MySQL server daemon (mysqld) will be restarted automatically.", "published": "2010-02-16T05:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0110", "cvelist": ["CVE-2008-4098", "CVE-2008-4456", "CVE-2009-2446", "CVE-2009-4030"], "lastseen": "2017-09-09T07:19:21"}], "debian": [{"id": "DSA-1997", "type": "debian", "title": "mysql-dfsg-5.0 -- several vulnerabilities", "description": "Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2009-4019](<https://security-tracker.debian.org/tracker/CVE-2009-4019>)\n\nDomas Mituzas discovered that mysqld does not properly handle errors during execution of certain SELECT statements with subqueries, and does not preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.\n\n * [CVE-2009-4030](<https://security-tracker.debian.org/tracker/CVE-2009-4030>)\n\nSergei Golubchik discovered that MySQL allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory.\n\n * [CVE-2009-4484](<https://security-tracker.debian.org/tracker/CVE-2009-4484>)\n\nMultiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field.\n\nFor the oldstable distribution (etch), these problems have been fixed in version 5.0.32-7etch12\n\nFor the stable distribution (lenny), these problems have been fixed in version 5.0.51a-24+lenny3\n\nThe testing (squeeze) and unstable (sid) distribution do not contain mysql-dfsg-5 anymore.\n\nWe recommend that you upgrade your mysql-dfsg-5.0 packages.", "published": "2010-02-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-1997", "cvelist": ["CVE-2009-4030", "CVE-2009-4019", "CVE-2009-4484"], "lastseen": "2016-09-02T18:25:42"}], "ubuntu": [{"id": "USN-897-1", "type": "ubuntu", "title": "MySQL vulnerabilities", "description": "It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This issue only affected Ubuntu 8.10. (CVE-2008-4098)\n\nIt was discovered that MySQL contained a cross-site scripting vulnerability in the command-line client when the \u2013html option is enabled. An attacker could place arbitrary web script or html in a database cell, which would then get placed in the html document output by the command-line tool. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2008-4456)\n\nIt was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use symlinks combined with the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This issue only affected Ubuntu 9.10. (CVE-2008-7247)\n\nIt was discovered that MySQL contained multiple format string flaws when logging database creation and deletion. An authenticated user could use specially crafted database names to make MySQL crash, causing a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2009-2446)\n\nIt was discovered that MySQL incorrectly handled errors when performing certain SELECT statements, and did not preserve correct flags when performing statements that use the GeomFromWKB function. An authenticated user could exploit this to make MySQL crash, causing a denial of service. (CVE-2009-4019)\n\nIt was discovered that MySQL incorrectly checked symlinks when using the DATA DIRECTORY and INDEX DIRECTORY options. A local user could use symlinks to create tables that pointed to tables known to be created at a later time, bypassing access restrictions. (CVE-2009-4030)\n\nIt was discovered that MySQL contained a buffer overflow when parsing ssl certificates. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 LTS and the default compiler options for affected releases should reduce the vulnerability to a denial of service. In the default installation, attackers would also be isolated by the AppArmor MySQL profile. (CVE-2009-4484)", "published": "2010-02-10T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/897-1/", "cvelist": ["CVE-2009-2446", "CVE-2008-4456", "CVE-2009-4030", "CVE-2008-4098", "CVE-2008-7247", "CVE-2009-4019", "CVE-2009-4484"], "lastseen": "2018-03-29T18:21:09"}, {"id": "USN-1397-1", "type": "ubuntu", "title": "MySQL vulnerabilities", "description": "Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.\n\nMySQL has been updated to 5.1.61 in Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to MySQL 5.0.95.\n\nIn addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.\n\nPlease see the following for more information:\n\n<http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html> <http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html> <http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html>", "published": "2012-03-12T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1397-1/", "cvelist": ["CVE-2012-0075", "CVE-2012-0489", "CVE-2009-2446", "CVE-2010-3837", "CVE-2010-3680", "CVE-2010-3678", "CVE-2008-4456", "CVE-2010-3839", "CVE-2009-4030", "CVE-2010-3835", "CVE-2012-0112", "CVE-2010-3681", "CVE-2010-3833", "CVE-2012-0491", "CVE-2012-0496", "CVE-2012-0113", "CVE-2007-5925", "CVE-2010-3840", "CVE-2012-0484", "CVE-2012-0494", "CVE-2012-0115", "CVE-2010-1621", "CVE-2010-3682", "CVE-2010-3679", "CVE-2010-1626", "CVE-2008-4098", "CVE-2010-2008", "CVE-2012-0101", "CVE-2010-3836", "CVE-2012-0488", "CVE-2010-3683", "CVE-2010-3677", "CVE-2008-3963", "CVE-2012-0493", "CVE-2010-1850", "CVE-2012-0114", "CVE-2010-3834", "CVE-2012-0495", "CVE-2010-3838", "CVE-2012-0119", "CVE-2012-0492", "CVE-2012-0116", "CVE-2012-0485", "CVE-2010-1848", "CVE-2008-7247", "CVE-2012-0117", "CVE-2012-0487", "CVE-2012-0087", "CVE-2012-0490", "CVE-2010-1849", "CVE-2012-0120", "CVE-2009-4019", "CVE-2011-2262", "CVE-2012-0118", "CVE-2009-4484", "CVE-2012-0102", "CVE-2012-0486"], "lastseen": "2018-03-29T18:20:17"}], "threatpost": [{"id": "APPLE-MEGA-PATCH-COVERS-88-MAC-OS-X-VULNERABILITIES-032910/73753", "type": "threatpost", "title": "Apple Mega Patch Covers 88 Mac OS X Vulnerabilities", "description": "Apple Mega Patch Covers 88 Mac OS X Vulnerabilities\n\nApple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping with fixes for 88 documented vulnerabilities.\n\nThe Mac OS X v10.6.3 update, which is considered \u201ccritical,\u201d covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.\n\nSecurity Update 2010-002 / Mac OS X v10.6.3 is now available and\n\naddresses the following:\n\nAppKit\n\nCVE-ID: CVE-2010-0056\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: Spell checking a maliciously crafted document may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow exists in the spell checking feature\n\nused by Cocoa applications. Spell checking a maliciously crafted\n\ndocument may lead to an unexpected application termination or\n\narbitrary code execution. This issue is addressed through improved\n\nbounds checking. This issue does not affect Mac OS X v10.6 systems.\n\nCredit: Apple.\n\nApplication Firewall\n\nCVE-ID: CVE-2009-2801\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: Certain rules in the Application Firewall may become\n\ninactive after restart\n\nDescription: A timing issue in the Application Firewall may cause\n\ncertain rules to become inactive after reboot. The issue is addressed\n\nthrough improved handling of Firewall rules. This issue does not\n\naffect Mac OS X v10.6 systems. Credit to Michael Kisor of\n\nOrganicOrb.com for reporting this issue.\n\nAFP Server\n\nCVE-ID: CVE-2010-0057\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: When guest access is disabled, a remote user may be able to\n\nmount AFP shares as a guest\n\nDescription: An access control issue in AFP Server may allow a\n\nremote user to mount AFP shares as a guest, even if guest access is\n\ndisabled. This issue is addressed through improved access control\n\nchecks. Credit: Apple.\n\nAFP Server\n\nCVE-ID: CVE-2010-0533\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A remote user with guest access to an AFP share may access\n\nthe contents of world-readable files outside the Public share\n\nDescription: A directory traversal issue exists in the path\n\nvalidation for AFP shares. A remote user may enumerate the parent\n\ndirectory of the share root, and read or write files within that\n\ndirectory that are accessible to the \u2018nobody\u2019 user. This issue is\n\naddressed through improved handling of file paths. Credit to Patrik\n\nKarlsson of cqure.net for reporting this issue.\n\nApache\n\nCVE-ID: CVE-2009-3095\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may be able to bypass access control\n\nrestrictions\n\nDescription: An input validation issue exists in Apache\u2019s handling\n\nof proxied FTP requests. A remote attacker with the ability to issue\n\nrequests through the proxy may be able to bypass access control\n\nrestrictions specified in the Apache configuration. This issue is\n\naddressed by updating Apache to version 2.2.14.\n\nClamAV\n\nCVE-ID: CVE-2010-0058\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: ClamAV virus definitions may not receive updates\n\nDescription: A configuration issue introduced in Security Update\n\n2009-005 prevents freshclam from running. This may prevent virus\n\ndefinitions from being updated. This issue is addressed by updating\n\nfreshclam\u2019s launchd plist ProgramArguments key values. This issue\n\ndoes not affect Mac OS X v10.6 systems. Credit to Bayard Bell, Wil\n\nShipley of Delicious Monster, and David Ferrero of Zion Software, LLC\n\nfor reporting this issue.\n\nCoreAudio\n\nCVE-ID: CVE-2010-0059\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Playing maliciously crafted audio content may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue exists in the handling of\n\nQDM2 encoded audio content. Playing maliciously crafted audio content\n\nmay lead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed through improved bounds checking.\n\nCredit to an anonymous researcher working with TippingPoint\u2019s Zero\n\nDay Initiative for reporting this issue.\n\nCoreAudio\n\nCVE-ID: CVE-2010-0060\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Playing maliciously crafted audio content may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue exists in the handling of\n\nQDMC encoded audio content. Playing maliciously crafted audio content\n\nmay lead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed through improved bounds checking.\n\nCredit to an anonymous researcher working with TippingPoint\u2019s Zero\n\nDay Initiative for reporting this issue.\n\nCoreMedia\n\nCVE-ID: CVE-2010-0062\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow exists in CoreMedia\u2019s handling\n\nof H.263 encoded movie files. Viewing a maliciously crafted movie\n\nfile may lead to an unexpected application termination or arbitrary\n\ncode execution. This issue is addressed by performing additional\n\nvalidation of H.263 encoded movie files. Credit to Damian Put working\n\nwith TippingPoint\u2019s Zero Day Initiative for reporting this issue.\n\nCoreTypes\n\nCVE-ID: CVE-2010-0063\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Users are not warned before opening certain potentially\n\nunsafe content types\n\nDescription: This update adds .ibplugin and .url to the system\u2019s\n\nlist of content types that will be flagged as potentially unsafe\n\nunder certain circumstances, such as when they are downloaded from a\n\nweb page. While these content types are not automatically launched,\n\nif manually opened they could lead to the execution of a malicious\n\nJavaScript payload or arbitrary code execution. This update improves\n\nthe system\u2019s ability to notify users before handling content types\n\nused by Safari. Credit to Clint Ruoho of Laconic Security for\n\nreporting this issue.\n\nCUPS\n\nCVE-ID: CVE-2010-0393\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A local user may be able to obtain system privileges\n\nDescription: A format string issue exists in the lppasswd CUPS\n\nutility. This may allow a local user to obtain system privileges. Mac\n\nOS X v10.6 systems are only affected if the setuid bit has been set\n\non the binary. This issue is addressed by using default directories\n\nwhen running as a setuid process. Credit to Ronald Volgers for\n\nreporting this issue.\n\ncurl\n\nCVE-ID: CVE-2009-2417\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A man-in-the-middle attacker may be able to impersonate a\n\ntrusted server\n\nDescription: A canonicalization issue exists in curl\u2019s handling of\n\nNULL characters in the subject\u2019s Common Name (CN) field of X.509\n\ncertificates. This may lead to man-in-the-middle attacks against\n\nusers of the curl command line tool, or applications using libcurl.\n\nThis issue is addressed through improved handling of NULL characters.\n\ncurl\n\nCVE-ID: CVE-2009-0037\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: Using curl with -L may allow a remote attacker to read or\n\nwrite local files\n\nDescription: curl will follow HTTP and HTTPS redirects when used\n\nwith the -L option. When curl follows a redirect, it allows file://\n\nURLs. This may allow a remote attacker to access local files. This\n\nissue is addressed through improved validation of redirects. This\n\nissue does not affect Mac OS X v10.6 systems. Credit to Daniel\n\nStenberg of Haxx AB for reporting this issue.\n\nCyrus IMAP\n\nCVE-ID: CVE-2009-2632\n\nAvailable for: Mac OS X Server v10.5.8\n\nImpact: A local user may be able to obtain the privileges of the\n\nCyrus user\n\nDescription: A buffer overflow exists in the handling of sieve\n\nscripts. By running a maliciously crafted sieve script, a local user\n\nmay be able to obtain the privileges of the Cyrus user. This issue is\n\naddressed through improved bounds checking. This issue does not\n\naffect Mac OS X v10.6 systems.\n\nCyrus SASL\n\nCVE-ID: CVE-2009-0688\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: An unauthenticated remote attacker may cause unexpected\n\napplication termination or arbitrary code execution\n\nDescription: A buffer overflow exists in the Cyrus SASL\n\nauthentication module. Using Cyrus SASL authentication may lead to an\n\nunexpected application termination or arbitrary code execution. This\n\nissue is addressed through improved bounds checking. This issue does\n\nnot affect Mac OS X v10.6 systems.\n\nDesktopServices\n\nCVE-ID: CVE-2010-0064\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Items copied in the Finder may be assigned an unexpected\n\nfile owner\n\nDescription: When performing an authenticated copy in the Finder,\n\noriginal file ownership may be unexpectedly copied. This update\n\naddresses the issue by ensuring that copied files are owned by the\n\nuser performing the copy. This issue does not affect systems prior to\n\nMac OS X v10.6. Credit to Gerrit DeWitt of Auburn University (Auburn,\n\nAL) for reporting this issue.\n\nDesktopServices\n\nCVE-ID: CVE-2010-0537\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may gain access to user data via a multi-\n\nstage attack\n\nDescription: A path resolution issue in DesktopServices is\n\nvulnerable to a multi-stage attack. A remote attacker must first\n\nentice the user to mount an arbitrarily named share, which may be\n\ndone via a URL scheme. When saving a file using the default save\n\npanel in any application, and using \u201cGo to folder\u201d or dragging\n\nfolders to the save panel, the data may be unexpectedly saved to the\n\nmalicious share. This issue is addressed through improved path\n\nresolution. This issue does not affect systems prior to Mac OS X\n\nv10.6. Credit to Sidney San Martin working with DeepTech, Inc. for\n\nreporting this issue.\n\nDisk Images\n\nCVE-ID: CVE-2010-0065\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Mounting a maliciously crafted disk image may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue exists in the handling of\n\nbzip2 compressed disk images. Mounting a maliciously crafted disk\n\nimage may lead to an unexpected application termination or arbitrary\n\ncode execution. This issue is addressed through improved bounds\n\nchecking. Credit: Apple.\n\nDisk Images\n\nCVE-ID: CVE-2010-0497\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Mounting a maliciously crafted disk image may lead to\n\narbitrary code execution\n\nDescription: A design issue exists in the handling of internet\n\nenabled disk images. Mounting an internet enabled disk image\n\ncontaining a package file type will open it rather than revealing it\n\nin the Finder. This file quarantine feature helps to mitigate this\n\nissue by providing a warning dialog for unsafe file types. This issue\n\nis addressed through improved handling of package file types on\n\ninternet enabled disk images. Credit to Brian Mastenbrook working\n\nwith TippingPoint\u2019s Zero Day Initiative for reporting this issue.\n\nDirectory Services\n\nCVE-ID: CVE-2010-0498\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A local user may obtain system privileges\n\nDescription: An authorization issue in Directory Services\u2019 handling\n\nof record names may allow a local user to obtain system privileges.\n\nThis issue is addressed through improved authorization checks.\n\nCredit: Apple.\n\nDovecot\n\nCVE-ID: CVE-2010-0535\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: An authenticated user may be able to send and receive mail\n\neven if the user is not on the SACL of users who are permitted to do\n\nso\n\nDescription: An access control issue exists in Dovecot when Kerberos\n\nauthentication is enabled. This may allow an authenticated user to\n\nsend and receive mail even if the user is not on the service access\n\ncontrol list (SACL) of users who are permitted to do so. This issue\n\nis addressed through improved access control checks. This issue does\n\nnot affect systems prior to Mac OS X v10.6.\n\nEvent Monitor\n\nCVE-ID: CVE-2010-0500\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may cause arbitrary systems to be added to\n\nthe firewall blacklist\n\nDescription: A reverse DNS lookup is performed on remote ssh clients\n\nthat fail to authenticate. A plist injection issue exists in the\n\nhandling of resolved DNS names. This may allow a remote attacker to\n\ncause arbitrary systems to be added to the firewall blacklist. This\n\nissue is addressed by properly escaping resolved DNS names. Credit:\n\nApple.\n\nFreeRADIUS\n\nCVE-ID: CVE-2010-0524\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may obtain access to a network via RADIUS\n\nauthentication\n\nDescription: A certificate authentication issue exists in the\n\ndefault Mac OS X configuration of the FreeRADIUS server. A remote\n\nattacker may use EAP-TLS with an arbitrary valid certificate to\n\nauthenticate and connect to a network configured to use FreeRADIUS\n\nfor authentication. This issue is addressed by disabling support for\n\nEAP-TLS in the configuration. RADIUS clients should use EAP-TTLS\n\ninstead. This issue only affects Mac OS X Server systems. Credit to\n\nChris Linstruth of Qnet for reporting this issue.\n\nFTP Server\n\nCVE-ID: CVE-2010-0501\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Users may be able to retrieve files outside the FTP root\n\ndirectory\n\nDescription: A directory traversal issue exists in FTP Server. This\n\nmay allow a user to retrieve files outside the FTP root directory.\n\nThis issue is addressed through improved handling of file names. This\n\nissue only affects Mac OS X Server systems. Credit: Apple.\n\niChat Server\n\nCVE-ID: CVE-2006-1329\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: An implementation issue exists in jabberd\u2019s handling of\n\nSASL negotiation. A remote attacker may be able to terminate the\n\noperation of jabberd. This issue is addressed through improved\n\nhandling of SASL negotiation. This issue only affects Mac OS X Server\n\nsystems.\n\niChat Server\n\nCVE-ID: CVE-2010-0502\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Chat messages may not be logged\n\nDescription: A design issue exists in iChat Server\u2019s support for\n\nconfigurable group chat logging. iChat Server only logs messages with\n\ncertain message types. This may allow a remote user to send a message\n\nthrough the server without it being logged. The issue is addressed by\n\nremoving the capability to disable group chat logs, and logging all\n\nmessages that are sent through the server. This issue only affects\n\nMac OS X Server systems. Credit: Apple.\n\niChat Server\n\nCVE-ID: CVE-2010-0503\n\nAvailable for: Mac OS X Server v10.5.8\n\nImpact: An authenticated user may be able to cause an unexpected\n\napplication termination or arbitrary code execution\n\nDescription: A use-after-free issue exists in iChat Server. An\n\nauthenticated user may be able to cause an unexpected application\n\ntermination or arbitrary code execution. This issue is addressed\n\nthrough improved memory reference tracking. This issue only affects\n\nMac OS X Server systems, and does not affect versions 10.6 or later.\n\niChat Server\n\nCVE-ID: CVE-2010-0504\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: An authenticated user may be able to cause an unexpected\n\napplication termination or arbitrary code execution\n\nDescription: Multiple stack buffer overflow issues exist in iChat\n\nServer. An authenticated user may be able to cause an unexpected\n\napplication termination or arbitrary code execution. These issues are\n\naddressed through improved memory management. These issues only\n\naffect Mac OS X Server systems. Credit: Apple.\n\nImageIO\n\nCVE-ID: CVE-2010-0505\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted JP2 image may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow exists in the handling of JP2\n\nimages. Viewing a maliciously crafted JP2 image may lead to an\n\nunexpected application termination or arbitrary code execution. This\n\nissue is addressed through improved bounds checking. Credit to Chris\n\nRies of Carnegie Mellon University Computing Service, and researcher\n\n\u201c85319bb6e6ab398b334509c50afce5259d42756e\u201d working with\n\nTippingPoint\u2019s Zero Day Initiative for reporting this issue.\n\nImageIO\n\nCVE-ID: CVE-2010-0041\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Visiting a maliciously crafted website may result in sending\n\ndata from Safari\u2019s memory to the website\n\nDescription: An uninitialized memory access issue exists in\n\nImageIO\u2019s handling of BMP images. Visiting a maliciously crafted\n\nwebsite may result in sending data from Safari\u2019s memory to the\n\nwebsite. This issue is addressed through improved memory\n\ninitialization and additional validation of BMP images. Credit to\n\nMatthew \u2018j00ru\u2019 Jurczyk of Hispasec for reporting this issue.\n\nImageIO\n\nCVE-ID: CVE-2010-0042\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Visiting a maliciously crafted website may result in sending\n\ndata from Safari\u2019s memory to the website\n\nDescription: An uninitialized memory access issue exists in\n\nImageIO\u2019s handling of TIFF images. Visiting a maliciously crafted\n\nwebsite may result in sending data from Safari\u2019s memory to the\n\nwebsite. This issue is addressed through improved memory\n\ninitialization and additional validation of TIFF images. Credit to\n\nMatthew \u2018j00ru\u2019 Jurczyk of Hispasec for reporting this issue.\n\nImageIO\n\nCVE-ID: CVE-2010-0043\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Processing a maliciously crafted TIFF image may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue exists in the handling of\n\nTIFF images. Processing a maliciously crafted TIFF image may lead to\n\nan unexpected application termination or arbitrary code execution.\n\nThis issue is addressed through improved memory handling. This issue\n\ndoes not affect systems prior to Mac OS X v10.6. Credit to Gus\n\nMueller of Flying Meat for reporting this issue.\n\nImage RAW\n\nCVE-ID: CVE-2010-0506\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: Viewing a maliciously crafted NEF image may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow exists in Image RAW\u2019s handling of NEF\n\nimages. Viewing a maliciously crafted NEF image may lead to an\n\nunexpected application termination or arbitrary code execution. This\n\nissue is addressed through improved bounds checking. This issue does\n\nnot affect Mac OS X v10.6 systems. Credit: Apple.\n\nImage RAW\n\nCVE-ID: CVE-2010-0507\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted PEF image may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow exists in Image RAW\u2019s handling of PEF\n\nimages. Viewing a maliciously crafted PEF image may lead to an\n\nunexpected application termination or arbitrary code execution. This\n\nissue is addressed through improved bounds checking. Credit to Chris\n\nRies of Carnegie Mellon University Computing Services for reporting\n\nthis issue.\n\nLibsystem\n\nCVE-ID: CVE-2009-0689\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Applications that convert untrusted data between binary\n\nfloating point and text may be vulnerable to an unexpected\n\napplication termination or arbitrary code execution\n\nDescription: A buffer overflow exists in the floating point binary\n\nto text conversion code within Libsystem. An attacker who can cause\n\nan application to convert a floating point value into a long string,\n\nor to parse a maliciously crafted string as a floating point value,\n\nmay be able to cause an unexpected application termination or\n\narbitrary code execution. This issue is addressed through improved\n\nbounds checking. Credit to Maksymilian Arciemowicz of\n\nSecurityReason.com for reporting this issue.\n\nMail\n\nCVE-ID: CVE-2010-0508\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Rules associated with a deleted mail account remain in\n\neffect\n\nDescription: When a mail account is deleted, user-defined filter\n\nrules associated with that account remain active. This may result in\n\nunexpected actions. This issue is addressed by disabling associated\n\nrules when a mail account is deleted.\n\nMail\n\nCVE-ID: CVE-2010-0525\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Mail may use a weaker encryption key for outgoing email\n\nDescription: A logic issue exists in Mail\u2019s handling of encryption\n\ncertificates. When multiple certificates for the recipient exist in\n\nthe keychain, Mail may select an encryption key that is not intended\n\nfor encipherment. This may lead to a security issue if the chosen key\n\nis weaker than expected. This issue is addressed by ensuring that the\n\nkey usage extension within certificates is evaluated when selecting a\n\nmail encryption key. Credit to Paul Suh of ps Enable, Inc. for\n\nreporting this issue.\n\nMailman\n\nCVE-ID: CVE-2008-0564\n\nAvailable for: Mac OS X Server v10.5.8\n\nImpact: Multiple vulnerabilities in Mailman 2.1.9\n\nDescription: Multiple cross-site scripting issues exist in Mailman\n\n2.1.9. These issues are addressed by updating Mailman to version\n\n2.1.13. Further information is available via the Mailman site at\n\nhttp://mail.python.org/pipermail/mailman-\n\nannounce/2009-January/000128.html These issues only affect Mac OS X\n\nServer systems, and do not affect versions 10.6 or later.\n\nMySQL\n\nCVE-ID: CVE-2008-4456, CVE-2008-7247, CVE-2009-2446, CVE-2009-4019,\n\nCVE-2009-4030\n\nAvailable for: Mac OS X Server v10.6 through v10.6.2\n\nImpact: Multiple vulnerabilities in MySQL 5.0.82\n\nDescription: MySQL is updated to version 5.0.88 to address multiple\n\nvulnerabilities, the most serious of which may lead to arbitrary code\n\nexecution. These issues only affect Mac OS X Server systems. Further\n\ninformation is available via the MySQL web site at\n\nhttp://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html\n\nOS Services\n\nCVE-ID: CVE-2010-0509\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A local user may be able to obtain elevated privileges\n\nDescription: A privilege escalation issue exists in SFLServer, as it\n\nruns as group \u2018wheel\u2019 and accesses files in users\u2019 home directories.\n\nThis issue is addressed through improved privilege management. Credit\n\nto Kevin Finisterre of DigitalMunition for reporting this issue.\n\nPassword Server\n\nCVE-ID: CVE-2010-0510\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may be able to log in with an outdated\n\npassword\n\nDescription: An implementation issue in Password Server\u2019s handling\n\nof replication may cause passwords to not be replicated. A remote\n\nattacker may be able to log in to a system using an outdated\n\npassword. This issue is addressed through improved handling of\n\npassword replication. This issue only affects Mac OS X Server\n\nsystems. Credit to Jack Johnson of Anchorage School District for\n\nreporting this issue.\n\nperl\n\nCVE-ID: CVE-2008-5302, CVE-2008-5303\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: A local user may cause arbitrary files to be deleted\n\nDescription: Multiple race condition issues exist in the rmtree\n\nfunction of the perl module File::Path. A local user with write\n\naccess to a directory that is being deleted may cause arbitrary files\n\nto be removed with the privileges of the perl process. This issue is\n\naddressed through improved handling of symbolic links. This issue\n\ndoes not affect Mac OS X v10.6 systems.\n\nPHP\n\nCVE-ID: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4017\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Multiple vulnerabilities in PHP 5.3.0\n\nDescription: PHP is updated to version 5.3.1 to address multiple\n\nvulnerabilities, the most serious of which may lead to arbitary code\n\nexecution. Further information is available via the PHP website at\n\nhttp://www.php.net/\n\nPHP\n\nCVE-ID: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4142,\n\nCVE-2009-4143\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: Multiple vulnerabilities in PHP 5.2.11\n\nDescription: PHP is updated to version 5.2.12 to address multiple\n\nvulnerabilities, the most serious of which may lead to cross-site\n\nscripting. Further information is available via the PHP website at\n\nhttp://www.php.net/\n\nPodcast Producer\n\nCVE-ID: CVE-2010-0511\n\nAvailable for: Mac OS X Server v10.6 through v10.6.2\n\nImpact: An unauthorized user may be able to access a Podcast\n\nComposer workflow\n\nDescription: When a Podcast Composer workflow is overwritten, the\n\naccess restrictions are removed. This may allow an unauthorized user\n\nto access a Podcast Composer workflow. This issue is addressed\n\nthrough improved handling of workflow access restrictions. Podcast\n\nComposer was introduced in Mac OS X Server v10.6.\n\nPreferences\n\nCVE-ID: CVE-2010-0512\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: A network user may be able to bypass system login\n\nrestrictions\n\nDescription: An implementation issue exists in the handling of\n\nsystem login restrictions for network accounts. If the network\n\naccounts allowed to log in to the system at the Login Window are\n\nidentified by group membership only, the restriction will not be\n\nenforced, and all network users will be allowed to log in to the\n\nsystem. The issue is addressed through improved group restriction\n\nmanagement in the Accounts preference pane. This issue only affects\n\nsystems configured to use a network account server, and does not\n\naffect systems prior to Mac OS X v10.6. Credit to Christopher D.\n\nGrieb of University of Michigan MSIS for reporting this issue.\n\nPS Normalizer\n\nCVE-ID: CVE-2010-0513\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted PostScript file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A stack buffer overflow exists in the handling of\n\nPostScript files. Viewing a maliciously crafted PostScript file may\n\nlead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed by performing additional\n\nvalidation of PostScript files. On Mac OS X v10.6 systems this issue\n\nis mitigated by the -fstack-protector compiler flag. Credit: Apple.\n\nQuickTime\n\nCVE-ID: CVE-2010-0062\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow exists in QuickTime\u2019s handling\n\nof H.263 encoded movie files. Viewing a maliciously crafted movie\n\nfile may lead to an unexpected application termination or arbitrary\n\ncode execution. This issue is addressed by performing additional\n\nvalidation of H.263 encoded movie files. Credit to Damian Put working\n\nwith TippingPoint\u2019s Zero Day Initiative for reporting this issue.\n\nQuickTime\n\nCVE-ID: CVE-2010-0514\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow exists in the handling of H.261\n\nencoded movie files. Viewing a maliciously crafted movie file may\n\nlead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed by performing additional\n\nvalidation of H.261 encoded movie files. Credit to Will Dormann of\n\nthe CERT/CC for reporting this issue.\n\nQuickTime\n\nCVE-ID: CVE-2010-0515\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A memory corruption in the handling of H.264 encoded\n\nmovie files. Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution. This\n\nissue is addressed by performing additional validation of H.264\n\nencoded movie files.\n\nQuickTime\n\nCVE-ID: CVE-2010-0516\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow in the handling of RLE encoded\n\nmovie files. Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution. This\n\nissue is addressed by performing additional validation of RLE encoded\n\nmovie files. Credit to an anonymous researcher working with\n\nTippingPoint\u2019s Zero Day Initiative for reporting this issue.\n\nQuickTime\n\nCVE-ID: CVE-2010-0517\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow in the handling of M-JPEG\n\nencoded movie files. Viewing a maliciously crafted movie file may\n\nlead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed by performing additional\n\nvalidation of M-JPEG encoded movie files. Credit to Damian Put\n\nworking with TippingPoint\u2019s Zero Day Initiative for reporting this\n\nissue.\n\nQuickTime\n\nCVE-ID: CVE-2010-0518\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue exists in the handling of\n\nSorenson encoded movie files. Viewing a maliciously crafted movie\n\nfile may lead to an unexpected application termination or arbitrary\n\ncode execution. This issue is addressed by performing additional\n\nvalidation of Sorenson encoded movie files. Credit to Will Dormann of\n\nthe CERT/CC for reporting this issue.\n\nQuickTime\n\nCVE-ID: CVE-2010-0519\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: An integer overflow exists in the handling of FlashPix\n\nencoded movie files. Viewing a maliciously crafted movie file may\n\nlead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed through improved bounds checking.\n\nCredit to an anonymous researcher working with TippingPoint\u2019s Zero\n\nDay Initiative for reporting this issue.\n\nQuickTime\n\nCVE-ID: CVE-2010-0520\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted movie file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow exists in the handling of FLC\n\nencoded movie files. Viewing a maliciously crafted movie file may\n\nlead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed by performing additional\n\nvalidation of FLC encoded movie files. Credit to Moritz Jodeit of\n\nn.runs AG, working with TippingPoint\u2019s Zero Day Initiative, and\n\nNicols Joly of VUPEN Security for reporting this issue.\n\nQuickTime\n\nCVE-ID: CVE-2010-0526\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted MPEG file may lead to an\n\nunexpected application termination or arbitrary code execution\n\nDescription: A heap buffer overflow exists in the handling of MPEG\n\nencoded movie files. Viewing a maliciously crafted movie file may\n\nlead to an unexpected application termination or arbitrary code\n\nexecution. This issue is addressed by performing additional\n\nvalidation of MPEG encoded movie files. Credit to an anonymous\n\nresearcher working with TippingPoint\u2019s Zero Day Initiative for\n\nreporting this issue.\n\nRuby\n\nCVE-ID: CVE-2009-2422, CVE-2009-3009, CVE-2009-4214\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Multiple issues in Ruby on Rails\n\nDescription: Multiple vulnerabilities exist in Ruby on Rails, the\n\nmost serious of which may lead to cross-site scripting. On Mac OS X\n\nv10.6 systems, these issues are addressed by updating Ruby on Rails\n\nto version 2.3.5. Mac OS X v10.5 systems are affected only by\n\nCVE-2009-4214, and this issue is addressed through improved\n\nvalidation of arguments to strip_tags.\n\nRuby\n\nCVE-ID: CVE-2009-1904\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Running a Ruby script that uses untrusted input to\n\ninitialize a BigDecimal object may lead to an unexpected application\n\ntermination\n\nDescription: A stack exhaustion issue exists in Ruby\u2019s handling of\n\nBigDecimal objects with very large values. Running a Ruby script that\n\nuses untrusted input to initialize a BigDecimal object may lead to an\n\nunexpected application termination. For Mac OS X v10.6 systems, this\n\nissue is addressed by updating Ruby to version 1.8.7-p173. For Mac OS\n\nv10.5 systems, this issue is addressed by updating Ruby to version\n\n1.8.6-p369.\n\nServer Admin\n\nCVE-ID: CVE-2010-0521\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may extract information from Open\n\nDirectory\n\nDescription: A design issue exists in the handling of authenticated\n\ndirectory binding. A remote attacker may be able to anonymously\n\nextract information from Open Directory, even if the \u201cRequire\n\nauthenticated binding between directory and clients\u201d option is\n\nenabled. The issue is addressed by removing this configuration\n\noption. This issue only affects Mac OS X Server systems. Credit to\n\nScott Gruby of Gruby Solutions, and Mathias Haack of GRAVIS\n\nComputervertriebsgesellschaft mbH for reporting this issue.\n\nServer Admin\n\nCVE-ID: CVE-2010-0522\n\nAvailable for: Mac OS X Server v10.5.8\n\nImpact: A former administrator may have unauthorized access to\n\nscreen sharing\n\nDescription: A user who is removed from the \u2018admin\u2019 group may still\n\nconnect to the server using screen sharing. This issue is addressed\n\nthrough improved handling of administrator privileges. This issue\n\nonly affects Mac OS X Server systems, and does not affect version\n\n10.6 or later. Credit: Apple.\n\nSMB\n\nCVE-ID: CVE-2009-2906\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: An infinite loop issue exists in Samba\u2019s handling of\n\nSMB \u2018oplock\u2019 break notifications. A remote attacker may be able to\n\ntrigger an infinite loop in smbd, causing it to consume excessive CPU\n\nresources. The issue is addressed through improved handling of\n\n\u2018oplock\u2019 break notifications.\n\nTomcat\n\nCVE-ID: CVE-2009-0580, CVE-2009-0033, CVE-2009-0783, CVE-2008-5515,\n\nCVE-2009-0781, CVE-2009-2901, CVE-2009-2902, CVE-2009-2693\n\nAvailable for: Mac OS X Server v10.5.8,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: Multiple vulnerabilities in Tomcat 6.0.18\n\nDescription: Tomcat is updated to version 6.0.24 to address multiple\n\nvulnerabilities, the most serious of which may lead to a cross site\n\nscripting attack. Tomcat is only provided on Mac OS X Server systems.\n\nFurther information is available via the Tomcat site at\n\nhttp://tomcat.apache.org/\n\nunzip\n\nCVE-ID: CVE-2008-0888\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: Extracting maliciously crafted zip files using the unzip\n\ncommand tool may lead to an unexpected application termination or\n\ncode execution\n\nDescription: An uninitialized pointer issue exists is the handling\n\nof zip files. Extracting maliciously crafted zip files using the\n\nunzip command tool may lead to an unexpected application termination\n\nor arbitrary code execution. This issue is addressed by performing\n\nadditional validation of zip files. This issue does not affect Mac OS\n\nX v10.6 systems.\n\nvim\n\nCVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2009-0316\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: Multiple vulnerabilities in vim 7.0\n\nDescription: Multiple vulnerabilities exist in vim 7.0, the most\n\nserious of which may lead to arbitrary code execution when working\n\nwith maliciously crafted files. These issues are addressed by\n\nupdating to vim 7.2.102. These issues do not affect Mac OS X v10.6\n\nsystems. Further information is available via the vim website at\n\nhttp://www.vim.org/\n\nWiki Server\n\nCVE-ID: CVE-2010-0523\n\nAvailable for: Mac OS X Server v10.5.8\n\nImpact: Uploading a maliciously crafted applet may lead to the\n\ndisclosure of sensitive information\n\nDescription: Wiki Server allows users to upload active content such\n\nas Java applets. A remote attacker may obtain sensitive information\n\nby uploading a maliciously crafted applet and directing a Wiki Server\n\nuser to view it. The issue is addressed by restricting the file types\n\nthat may be uploaded to the Wiki Server. This issue only affects Mac\n\nOS X Server systems, and does not affect versions 10.6 or later.\n\nWiki Server\n\nCVE-ID: CVE-2010-0534\n\nAvailable for: Mac OS X v10.6 through v10.6.2,\n\nMac OS X Server v10.6 through v10.6.2\n\nImpact: An authenticated user may bypass weblog creation\n\nrestrictions\n\nDescription: Wiki Server supports service access control lists\n\n(SACLs), allowing an administrator to control the publication of\n\ncontent. Wiki Server fails to consult the weblog SACL during the\n\ncreation of a user\u2019s weblog. This may allow an authenticated user to\n\npublish content to the Wiki Server, even though publication should be\n\ndisallowed by the service ACL. This issue does not affect systems\n\nprior to Mac OS X v10.6.\n\nX11\n\nCVE-ID: CVE-2009-2042\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Viewing a maliciously crafted image may lead to the\n\ndisclosure of sensitive information\n\nDescription: libpng is updated to version 1.2.37 to address an issue\n\nthat may result in the disclosure of sensitive information. Further\n\ninformation is available via the libpng site at\n\nhttp://www.libpng.org/pub/png/libpng.html\n\nX11\n\nCVE-ID: CVE-2003-0063\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,\n\nMac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2\n\nImpact: Displaying maliciously crafted data within an xterm terminal\n\nmay lead to arbitrary code execution\n\nDescription: The xterm program supports a command sequence to change\n\nthe window title, and to print the window title to the terminal. The\n\ninformation returned is provided to the terminal as though it were\n\nkeyboard input from the user. Within an xterm terminal, displaying\n\nmaliciously crafted data containing such sequences may result in\n\ncommand injection. The issue is addressed by disabling the affected\n\ncommand sequence.\n\nxar\n\nCVE-ID: CVE-2010-0055\n\nAvailable for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\n\nImpact: A modified package may appear as validly signed\n\nDescription: A design issue exists in xar when validating a package\n\nsignature. This may allow a modified package to appear as validly\n\nsigned. This issue is fixed through improved package signature\n\nvalidation. This issue does not affect Mac OS X v10.6 systems.\n\nCredit: Apple.\n\nSecurity Update 2010-002 / Mac OS X v10.6.3 may be obtained from\n\nthe Software Update pane in System Preferences, or Apple\u2019s Software\n\nDownloads web site:\n\nhttp://www.apple.com/support/downloads/\n\n[![](https://trtpost-wpengine.netdna-ssl.com/files/2013/04/mac_os_x_patch_1.jpg)](<https://threatpost.com/apple-mega-patch-covers-88-mac-os-x-vulnerabilities-032910/>)Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping 88 documented vulnerabilities.\n\nThe Mac OS X v10.6.3 update, which is considered \u201ccritical,\u201d covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.\n\n### Related Posts\n\n#### [Apple Patches Trident Vulnerabilities in OS X, Safari](<https://threatpost.com/apple-patches-trident-vulnerabilities-in-os-x-safari/120336/> \"Permalink to Apple Patches Trident Vulnerabilities in OS X, Safari\" )\n\nSeptember 2, 2016 , 10:00 am\n\n#### [Microsoft Mistakenly Leaks Secure Boot Key](<https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/> \"Permalink to Microsoft Mistakenly Leaks Secure Boot Key\" )\n\nAugust 11, 2016 , 11:31 am\n\n#### [Putting Apple Bug Bounty Rewards in Perspective](<https://threatpost.com/putting-apple-bug-bounty-rewards-in-perspective/119794/> \"Permalink to Putting Apple Bug Bounty Rewards in Perspective\" )\n\nAugust 10, 2016 , 11:00 am\n\nIn some scenarios, a malicious hacker could take complete control of a Mac-powered machine if a user simply views a malicious image or movie file.\n\nThe update covers critical vulnerabilities in AppKit, QuickTime,CoreMedia, CoreTypes, DiskImages, ImageIO and Image RAW.\n\nIt also covers holes in several open-source components, including Apache, ClamAV, MySQL, PHP.\n\nHere\u2019s [the full list](<http://support.apple.com/kb/HT4077>) of the patched vulnerabilities. \n\nThe Security Update 2010-002 / Mac OS X v10.6.3 may be obtained from the Software Update pane in System Preferences, or [Apple\u2019s Software Downloads](<site:http://www.apple.com/support/downloads/>) web page.", "published": "2010-03-29T17:15:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/apple-mega-patch-covers-88-mac-os-x-vulnerabilities-032910/73753/", "cvelist": ["CVE-2010-0060", "CVE-2010-0517", "CVE-2010-0505", "CVE-2009-2906", "CVE-2008-0564", "CVE-2010-0041", "CVE-2009-2446", "CVE-2009-3558", "CVE-2009-2417", "CVE-2008-0888", "CVE-2010-0498", "CVE-2010-0506", "CVE-2009-2632", "CVE-2008-5302", "CVE-2009-0033", "CVE-2008-4456", "CVE-2010-0515", "CVE-2010-0500", "CVE-2009-1904", "CVE-2010-0537", "CVE-2009-4030", "CVE-2010-0522", "CVE-2008-5303", "CVE-2010-0520", "CVE-2010-0504", "CVE-2010-0514", "CVE-2009-2693", "CVE-2010-0519", "CVE-2009-2042", "CVE-2010-0510", "CVE-2010-0511", "CVE-2009-0580", "CVE-2010-0512", "CVE-2009-0781", "CVE-2009-4214", "CVE-2008-5515", "CVE-2003-0063", "CVE-2009-2801", "CVE-2010-0055", "CVE-2009-0688", "CVE-2010-0523", "CVE-2010-0497", "CVE-2010-0503", "CVE-2010-0056", "CVE-2010-0533", "CVE-2010-0501", "CVE-2009-0316", "CVE-2009-3009", "CVE-2010-0062", "CVE-2009-4142", "CVE-2010-0507", "CVE-2010-0508", "CVE-2009-0689", "CVE-2009-0037", "CVE-2010-0525", "CVE-2009-2901", "CVE-2008-4101", "CVE-2010-0063", "CVE-2010-0065", "CVE-2010-0509", "CVE-2009-2422", "CVE-2009-3095", "CVE-2010-0058", "CVE-2010-0059", "CVE-2009-4017", "CVE-2010-0535", "CVE-2009-0783", "CVE-2009-4143", "CVE-2010-0043", "CVE-2010-0518", "CVE-2010-0526", "CVE-2010-0516", "CVE-2010-0513", "CVE-2009-3559", "CVE-2010-0502", "CVE-2008-7247", "CVE-2006-1329", "CVE-2009-2902", "CVE-2010-0057", "CVE-2008-2712", "CVE-2009-4019", "CVE-2010-0521", "CVE-2010-0393", "CVE-2010-0524", "CVE-2010-0064", "CVE-2010-0534", "CVE-2010-0042", "CVE-2009-3557"], "lastseen": "2016-09-04T20:51:55"}], "gentoo": [{"id": "GLSA-201201-02", "type": "gentoo", "title": "MySQL: Multiple vulnerabilities", "description": "### Background\n\nMySQL is a popular open-source multi-threaded, multi-user SQL database server. \n\n### Description\n\nMultiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the MySQL process, cause a Denial of Service condition, bypass security restrictions, uninstall arbitrary MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting attacks. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll MySQL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/mysql-5.1.56\"\n \n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 14, 2011. It is likely that your system is already no longer affected by this issue.", "published": "2012-01-05T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201201-02", "cvelist": ["CVE-2009-2446", "CVE-2010-3837", "CVE-2010-3680", "CVE-2010-3678", "CVE-2008-4456", "CVE-2010-3839", "CVE-2010-3835", "CVE-2008-4097", "CVE-2010-3681", "CVE-2010-3833", "CVE-2010-3840", "CVE-2010-1621", "CVE-2009-4028", "CVE-2010-3682", "CVE-2010-3679", "CVE-2010-1626", "CVE-2008-4098", "CVE-2010-2008", "CVE-2010-3676", "CVE-2010-3836", "CVE-2010-3683", "CVE-2010-3677", "CVE-2008-3963", "CVE-2010-1850", "CVE-2010-3834", "CVE-2010-3838", "CVE-2010-1848", "CVE-2008-7247", "CVE-2010-1849", "CVE-2009-4019", "CVE-2009-4484"], "lastseen": "2016-09-06T19:47:06"}], "exploitdb": [{"id": "EDB-ID:33397", "type": "exploitdb", "title": "MySQL <= 6.0.9 SELECT Statement WHERE Clause Sub-query DoS", "description": "MySQL 6.0.9 SELECT Statement WHERE Clause Sub-query DoS. CVE-2009-4019. Dos exploit for linux platform", "published": "2009-11-23T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/33397/", "cvelist": ["CVE-2009-4019"], "lastseen": "2016-02-03T19:06:33"}, {"id": "EDB-ID:33398", "type": "exploitdb", "title": "MySQL <= 6.0.9 GeomFromWKB Function First Argument Geometry Value Handling DoS", "description": "MySQL 6.0.9 GeomFromWKB() Function First Argument Geometry Value Handling DoS. CVE-2009-4019. Dos exploit for linux platform", "published": "2009-11-23T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/33398/", "cvelist": ["CVE-2009-4019"], "lastseen": "2016-02-03T19:06:41"}, {"id": "EDB-ID:16850", "type": "exploitdb", "title": "MySQL yaSSL CertDecoder::GetName Buffer Overflow", "description": "MySQL yaSSL CertDecoder::GetName Buffer Overflow. CVE-2009-4484. Remote exploit for linux platform", "published": "2010-04-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/16850/", "cvelist": ["CVE-2009-4484"], "lastseen": "2016-02-02T06:39:54"}], "metasploit": [{"id": "MSF:EXPLOIT/LINUX/MYSQL/MYSQL_YASSL_GETNAME", "type": "metasploit", "title": "MySQL yaSSL CertDecoder::GetName Buffer Overflow", "description": "This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside \"taocrypt/src/asn.cpp\". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL.", "published": "2010-01-27T23:24:44", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2009-4484"], "lastseen": "2018-06-06T18:20:06"}]}}