Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 1608-1] New mysql-dfsg-5.0 packages fix authorization bypass
From: Devin Carraway <devin () debian org>
Date: Sun, 13 Jul 2008 04:55:16 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1608-1                security () debian org
http://www.debian.org/security/                         Devin Carraway
July 13, 2008                       http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : mysql-dfsg-5.0
Vulnerability  : authorization bypass
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-2079
Debian Bug     : 480292

Sergei Golubchik discovered that MySQL, a widely-deployed database
server, did not properly validate optional data or index directory
paths given in a CREATE TABLE statement, nor would it (under proper
conditions) prevent two databases from using the same paths for data
or index files.  This permits an authenticated user with authorization
to create tables in one database to read, write or delete data from
tables subsequently created in other databases, regardless of other
GRANT authorizations.  The Common Vulnerabilities and Exposures
project identifies this weakness as CVE-2008-2079.

For the stable distribution (etch), this problem has been fixed in
version 5.0.32-7etch6.  Note that the fix applied will have the
consequence of disallowing the selection of data or index paths
under the database root, which on a Debian system is /var/lib/mysql;
database administrators needing to control the placement of these
files under that location must do so through other means.

We recommend that you upgrade your mysql-dfsg-5.0 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch6.diff.gz
    Size/MD5 checksum:   266482 42faf9d31d5bf1674d5b241ff49341cf
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz
    Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch6.dsc
    Size/MD5 checksum:     1117 367176f5e877cf3c46c662b87275f901

Architecture independent packages:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch6_all.deb
    Size/MD5 checksum:    45888 48a61918f72d865970ef48bc4eeb3466
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch6_all.deb
    Size/MD5 checksum:    54220 72f5ee84fa60b0871600fbe5fd4f5a74
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch6_all.deb
    Size/MD5 checksum:    47968 e8a2d9a5f13043c67a3d9ba4caa57a3c

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_alpha.deb
    Size/MD5 checksum:  1947356 1cd753a88978d41452bffc772323eb83
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_alpha.deb
    Size/MD5 checksum:  8909108 61b392dc0be2b82c3e6a5657ad06fca8
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_alpha.deb
    Size/MD5 checksum: 27381852 9e9fc87afceae3cb7c157369843a30ad
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_alpha.deb
    Size/MD5 checksum:    47992 8798c205394f39c843df143db2ba37af
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_alpha.deb
    Size/MD5 checksum:  8405314 f52f8049cb3080bca02eeba5c2e14a1d

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_amd64.deb
    Size/MD5 checksum:    47990 3662d9f51257c5fc57e7a20b90a6f33d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_amd64.deb
    Size/MD5 checksum:  7371044 0fd9eb3504a9958b1f709a48649b41c0
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_amd64.deb
    Size/MD5 checksum: 25815708 3fd278cba985110a578fc8d5bc76f8e9
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_amd64.deb
    Size/MD5 checksum:  1830958 6cc454236571032d4c723a4084cae535
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_amd64.deb
    Size/MD5 checksum:  7548576 ce08e3855077d14ddf73d70362faaaf1

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_arm.deb
    Size/MD5 checksum:  1748158 271c0b333e4404ac1a3230e13e182c70
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_arm.deb
    Size/MD5 checksum:  6930330 70477965987251fa25ace71df5c200f7
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_arm.deb
    Size/MD5 checksum: 25345976 f7908a64856451893285ebaebb4f6125
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_arm.deb
    Size/MD5 checksum:    48034 90284b682bc77e4401c216f3f49d8995
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_arm.deb
    Size/MD5 checksum:  7205572 7ebe1cb99dbb00a4db7ee387c2533a44

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_hppa.deb
    Size/MD5 checksum:  8054566 6ed6093c2dae6999126eacf5309e4474
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_hppa.deb
    Size/MD5 checksum:    47990 688427cc2115f9260546013364aca60b
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_hppa.deb
    Size/MD5 checksum:  1922788 5645332118ae75b274e760c448150f1b
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_hppa.deb
    Size/MD5 checksum: 27172760 bc2bfe60a4ff106fade4da459e07a5eb
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_hppa.deb
    Size/MD5 checksum:  8004968 53ba9f2f9c169765ad97900efb5f9c1a

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_i386.deb
    Size/MD5 checksum:  1792338 2bfed729400306f35a68d210af5a6666
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_i386.deb
    Size/MD5 checksum:  7198430 0c542cde542474c58468b52f97890ec2
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_i386.deb
    Size/MD5 checksum:  6959158 2c879cabd32fec019ebbf110b43c9e62
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_i386.deb
    Size/MD5 checksum:    47990 ba04b03ff5cfb960c9a7b461fe879928
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_i386.deb
    Size/MD5 checksum: 25225784 2382d6a8f5e57dc84060b51116b03833

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_ia64.deb
    Size/MD5 checksum:  2115542 0bb8b1f251231f14bfa27f0138f01a5d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_ia64.deb
    Size/MD5 checksum:  9737938 41806cfb4504905e6be20f3047aefdf0
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_ia64.deb
    Size/MD5 checksum: 30409676 b6f620c479e5d2a1aa9f9e20e5382849
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_ia64.deb
    Size/MD5 checksum:    47992 a6d309557d081dc76b60c359977cf805
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_ia64.deb
    Size/MD5 checksum: 10342514 25e2a3dbf910557ed1899ef1dce83cd8

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_mips.deb
    Size/MD5 checksum:    48020 7192dc50d43ca3d5710bfe2501fd0ee1
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_mips.deb
    Size/MD5 checksum: 26471616 c8f937742bb947ed1994ee4bfb59f4ea
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_mips.deb
    Size/MD5 checksum:  1835022 b6d0c5c0eb384329ec2678b43380d8fb
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_mips.deb
    Size/MD5 checksum:  7759368 7121a9cfcdbf26a89fc95e00113a20fb
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_mips.deb
    Size/MD5 checksum:  7672846 5fbe3662bc253bda3ccf62c8c78d7cf4

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_mipsel.deb
    Size/MD5 checksum:  7641076 937625ccc622b46c4c6a5cffeda033ec
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_mipsel.deb
    Size/MD5 checksum:  1789730 90d351c1551367cc5e77d008236402cd
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_mipsel.deb
    Size/MD5 checksum: 25845336 ed42a4ccbb7057dc660197fee3566682
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_mipsel.deb
    Size/MD5 checksum:    47992 1c0eb8257b01d13b4bf0f70d97612e67
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_mipsel.deb
    Size/MD5 checksum:  7561054 d5fbe5e214b39736f6eb13c2633fd102

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_powerpc.deb
    Size/MD5 checksum:  7573142 49364df9e5cd4842fd9f72a40589d18c
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_powerpc.deb
    Size/MD5 checksum:    47990 1eceb3165524be6ce46a6a1cab526a24
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_powerpc.deb
    Size/MD5 checksum:  7512578 e78ebeed9529c4bddd4976a1181d86e6
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_powerpc.deb
    Size/MD5 checksum: 26165058 0c20e4fb11a5b89b572d177b86cde355
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_powerpc.deb
    Size/MD5 checksum:  1832632 7e633b4febc3d0bfcb6c993cf85574c0

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_s390.deb
    Size/MD5 checksum:  7414202 4ff1d98b4b41543fdb24fc3be75b2835
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_s390.deb
    Size/MD5 checksum:    47988 8734d7200d69ed73cda3c80ec9115247
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_s390.deb
    Size/MD5 checksum:  7507338 921ca2feff00e5d2c0a36e34403538f0
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_s390.deb
    Size/MD5 checksum:  1952002 ca93cf34f53f7d2c3094157142df632f
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_s390.deb
    Size/MD5 checksum: 26764624 d785bab765139dcb98872a2b96b85909

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_sparc.deb
    Size/MD5 checksum:  1797778 6df91c9bce65192cdb3063c3111e941d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_sparc.deb
    Size/MD5 checksum:    47992 b7d1d6f2ff76ef9bcf126d2dd773bb72
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_sparc.deb
    Size/MD5 checksum:  7014210 f23cf47cc8b16e28f22c1a13b4a6936c
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_sparc.deb
    Size/MD5 checksum: 25426696 16bfb42f9a4dab6146df47568da158df
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_sparc.deb
    Size/MD5 checksum:  7153268 811916b6dec1eeae2ddb9822dacea994


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIeYhzU5XKDemr/NIRAkq/AKCaaDjIYhDwCU4t4ZJI6ZcNUsav6ACgwn9Q
naOfRlIo8CPjdi8hUqt7q64=
=+HxO
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 1608-1] New mysql-dfsg-5.0 packages fix authorization bypass Devin Carraway (Jul 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault