[SECURITY] [DSA 1662-1] New mysql-dfsg-5.0 packages fix authorization bypass

2008-11-10T00:00:00
ID SECURITYVULNS:DOC:20846
Type securityvulns
Reporter Securityvulns
Modified 2008-11-10T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1


Debian Security Advisory DSA-1662-1 security@debian.org http://www.debian.org/security/ Devin Carraway November 06, 2008 http://www.debian.org/security/faq


Package : mysql-dfsg-5.0 Vulnerability : authorization bypass Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-4098 Debian Bug : 480292

A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access.

The Common Vulnerabilities and Exposures project identifies this vulnerability as CVE-2008-4098. Note that a closely aligned issue, identified as CVE-2008-4097, was prevented by the update announced in DSA-1608-1. This new update supercedes that fix and mitigates both potential attack vectors.

For the stable distribution (etch), this problem has been fixed in version 5.0.32-7etch8.

We recommend that you upgrade your mysql packages.

Upgrade instructions


wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch


Debian (stable)


Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.dsc Size/MD5 checksum: 1117 6456a5396b56431a31e2121805ef3208 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch8.diff.gz Size/MD5 checksum: 269277 bc749451446872ac8c8567ed60b0eea6

Architecture independent packages:

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch8_all.deb Size/MD5 checksum: 48142 761dce88bf46026622550e503800d4c3 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch8_all.deb Size/MD5 checksum: 54452 64140dddeb7bd50098ddc6222b4d2939 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch8_all.deb Size/MD5 checksum: 46068 0a67c6a61d08bf716c0af68da1585563

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_alpha.deb Size/MD5 checksum: 8405572 ceda4648a1bbc48f087f8763350c04e7 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_alpha.deb Size/MD5 checksum: 27385278 b5435c8d77f64e1855300e1988570333 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_alpha.deb Size/MD5 checksum: 8909972 e76dc32887c4baf25721eff971aa9d60 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_alpha.deb Size/MD5 checksum: 48170 c6eb1472bb6cf4fad708c23dd9a78cf8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_alpha.deb Size/MD5 checksum: 1947544 73d751f95dc5604d159df910a3157f45

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_amd64.deb Size/MD5 checksum: 1831314 6ed359b8f2fb92c5c9846a3743e4b0f8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_amd64.deb Size/MD5 checksum: 7549266 ca948f5c66f2172927acd9e5cbf7c9ae http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_amd64.deb Size/MD5 checksum: 7371842 7ff54b963be65b5e7d18425cd313bbcb http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_amd64.deb Size/MD5 checksum: 48178 127af2553cc1fd9e89f1f69a2eb44709 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_amd64.deb Size/MD5 checksum: 25813464 06dc8568f055c04dc4ddfd19de79a704

arm architecture (ARM)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_arm.deb Size/MD5 checksum: 48230 2a5b1b7b2ed8c94301fc60bd49be7991 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_arm.deb Size/MD5 checksum: 7208004 9e268d05c77d521dbe0366961534cdf2 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_arm.deb Size/MD5 checksum: 25347882 b89ba96f815a27ebe70014d8c16e6bc0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_arm.deb Size/MD5 checksum: 6930850 21ec3a8f5a6634454db8dec30fea9e65 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_arm.deb Size/MD5 checksum: 1748390 1877d302ebc91e8ccf104ba2d75479a6

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_hppa.deb Size/MD5 checksum: 27178846 d5b6eb3072bb2e8f2d114b182701a736 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_hppa.deb Size/MD5 checksum: 8060958 f4d89fec611eb37939d98f3e52391b21 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_hppa.deb Size/MD5 checksum: 48174 be34e4d2b05e4b294f5a3396611d4126 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_hppa.deb Size/MD5 checksum: 1920860 8ef8d38dc53e5f81eebcad330103062a http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_hppa.deb Size/MD5 checksum: 8003664 50496388e230ba0e337fadb5611c1bec

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_i386.deb Size/MD5 checksum: 1792994 2ee1e253198f7f67be79b40fbcee703a http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_i386.deb Size/MD5 checksum: 6961428 8be34f2ed518aa47148502b93e468ac0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_i386.deb Size/MD5 checksum: 25233474 cf39de0d83a65da443fb77e37976d19b http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_i386.deb Size/MD5 checksum: 7199354 d144813e5cd27c684cb8ff45a987159e http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_i386.deb Size/MD5 checksum: 48166 2f4ab0db379d477d4ea15191a1ff4a7c

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_ia64.deb Size/MD5 checksum: 2115810 09e39bed782c6c2e7d689aa999adbfb1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_ia64.deb Size/MD5 checksum: 10342902 c091c2d6b6f02d120b513f07ecada159 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_ia64.deb Size/MD5 checksum: 9739330 f158dd90752b99efe92bca049b991696 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_ia64.deb Size/MD5 checksum: 30403740 c3daa72e6e34c54f8053887a52395e36 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_ia64.deb Size/MD5 checksum: 48170 b9f94375cccf2cb2a3aff60b232b400b

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mips.deb Size/MD5 checksum: 7674430 311032237de0d11e91d591b006ab6e60 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mips.deb Size/MD5 checksum: 48214 0751225fd59fce147105362c6cc30b16 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mips.deb Size/MD5 checksum: 7759738 74a1bd32b13f0c57f67100b6c0422d6e http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mips.deb Size/MD5 checksum: 1835426 f425af4483842630558bdcaaba7ac1ee http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mips.deb Size/MD5 checksum: 26472386 ed2e2a0eb36de7424d5bd03ab8f3b8f7

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_mipsel.deb Size/MD5 checksum: 25846914 766bcfbde62e9f75fc09f8892b1f6095 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_mipsel.deb Size/MD5 checksum: 7563074 fb084ab6a02dcf12fde22c740d6d63ac http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_mipsel.deb Size/MD5 checksum: 7642196 c58f251badf84dd7527f6bcf74bc1846 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_mipsel.deb Size/MD5 checksum: 48174 92fe38d06aac7ca0a1ff1a26f5858704 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_mipsel.deb Size/MD5 checksum: 1789960 0864b73e16d14ed1776879d3ef2ab5c1

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_powerpc.deb Size/MD5 checksum: 7575148 351f97505dde5ce74808b38008a04d1f http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_powerpc.deb Size/MD5 checksum: 7513654 5d9f12246f363b4eaab281e6c37ccf48 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_powerpc.deb Size/MD5 checksum: 26169508 81c25c622b35bec7d709f8fef4b3ba03 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_powerpc.deb Size/MD5 checksum: 48174 43cdd4b621fa97e345162fb5a11c3321 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_powerpc.deb Size/MD5 checksum: 1833008 a031cdc91532615006e3433ea1a2b9cc

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_s390.deb Size/MD5 checksum: 48172 b15d4493389f2d371d933b3cfec9dbfa http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_s390.deb Size/MD5 checksum: 7508416 7950a277db319634c2a61162c531d9f8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_s390.deb Size/MD5 checksum: 1952408 4035d4b30041b76cdad65f5093d0191e http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_s390.deb Size/MD5 checksum: 26765686 38ad49284aa88c6157c496f5583e81b4 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_s390.deb Size/MD5 checksum: 7414890 b61ee866d423474e4e76e68527d09b31

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch8_sparc.deb Size/MD5 checksum: 7159698 8ec6e96934ed76dbae21d28ebb701f02 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch8_sparc.deb Size/MD5 checksum: 25578698 e0cd9496cac89eb22ba854b3e10ca96b http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch8_sparc.deb Size/MD5 checksum: 7028544 fa58c135613be17bd723fea6c4f4de0d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch8_sparc.deb Size/MD5 checksum: 1798226 b1a13379770a9b860a6328176c93eecd http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch8_sparc.deb Size/MD5 checksum: 48218 9e6c78e0ae63d91c3361ff106ca0d4a7

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJEmvqU5XKDemr/NIRAtjFAKD0b1I33j80Z6JworeVVlNHKuW4yQCfVusE I5MOY2TVITMgVkkzs7IrQTw= =5+yr -----END PGP SIGNATURE-----