Säkerhetsbulletin från Debian
DSA-1997-1 mysql-dfsg-5.0 -- flera sårbarheter
- Rapporterat den:
- 2010-02-14
- Berörda paket:
- mysql-dfsg-5.0
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Mitres CVE-förteckning: CVE-2009-4019, CVE-2009-4030, CVE-2009-4484.
- Ytterligare information:
-
Flera sårbarheter har upptäckts i databasservern MySQL. Projektet Common Vulnerabilities and Exposures identifierar följande problem:
- CVE-2009-4019
Domas Mituzas upptäckte att mysqld inte hanterar fel korrekt vid exekvering av vissa SELECT-uttryck med underfrågor. Dessutom bevaras inte vissa null_value-flaggor vid exekvering av uttryck som använder funktionen GeomFromWKB. Detta tillåter utifrån autentiserade användare att orsaka en överbelastning (serverkrasch) med hjälp av ett specialskrivet uttryck.
- CVE-2009-4030
Sergei Golubchik upptäckte att MySQL tillåter lokala användare att kringgå vissa privilegiekontroller genom att anropa CREATE TABLE på en MyISAM-tabell med modifierade DATA DIRECTORY- eller INDEX DIRECTORY-argument som ursprungligen associerades med sökvägar utan symlänkar och som kan peka på tabeller skapade vid ett framtida tillfälle vid vilket en sökväg modifieras till att innehålla en symlänk till en underkatalog i MySQL:s datahemkatalog.
- CVE-2009-4484
Flera stackbaserade buffertspill i funktionen CertDecoder::GetName i src/asn.cpp i TaoCrypt i yaSSL innan 1.9.9, som används i mysqld, tillåter angripare utifrån att exekvera godtycklig kod eller orsaka en överbelastning (minneskorruption och serverkrasch) genom att etablera en SSL-anslutning och skicka ett X.509-klientcertifikat med ett specialskrivet namnfält.
För den gamla stabila utgåvan (Etch) har dessa problem rättats i version 5.0.32-7etch12
För den stabila utgåvan (Lenny) har dessa problem rättats i version 5.0.51a-24+lenny3
Uttestningsutgåvan (Squeeze) och den instabila utgåvan (Sid) innehåller inte längre mysql-dfsg-5.
Vi rekommenderar att ni uppgraderar era mysql-dfsg-5.0-paket.
- CVE-2009-4019
- Rättat i:
-
Debian GNU/Linux 4.0 (Etch)
- Källkod:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch12.dsc
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch12.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch12.diff.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch12_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch12_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch12_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch12_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_arm.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_ia64.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_sparc.deb
Debian GNU/Linux 5.0 (lenny)
- Källkod:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny3.dsc
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-24+lenny3.diff.gz
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-24+lenny3_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-24+lenny3_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-24+lenny3_all.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-24+lenny3_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_amd64.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_armel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_i386.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_ia64.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_s390.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-24+lenny3_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-24+lenny3_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-24+lenny3_sparc.deb
- http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-24+lenny3_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.