FLSA-2005:152925: Updated mysql packages fix security issues
Posted on: 07/16/2005 07:19 AM

Updated mysql packages are available for Red Hat Linux 7.3/9 and Fedora Core 1

---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated mysql packages fix security issues
Advisory ID: FLSA:152925
Issue date: 2005-07-15
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated mysql packages that fix various security issues are now available.

MySQL is a multi-user, multi-threaded SQL database server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

This update fixes several security risks in the MySQL server.

Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0709 and CAN-2005-0710 to these issues.

Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0711 to this issue.

All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152925

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.6.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.6.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.4.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

6b9ad2acc6eaaebeef935feb6e32b1e59f8d1e94
redhat/7.3/updates/i386/mysql-3.23.58-1.73.6.legacy.i386.rpm
090bce8a56c5cc7fedbca223925eb9d15dca5cd5
redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.6.legacy.i386.rpm
8d8565f44b2de5f7d36274803d04e4b06e2abf81
redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.6.legacy.i386.rpm
1d8f01787f7824c2d2638c8e48e9e8c03d7c0c28
redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.6.legacy.src.rpm
c838b40be12cd10b40f4b2c7e4c14c368734da23
redhat/9/updates/i386/mysql-3.23.58-1.90.6.legacy.i386.rpm
dc86a50ecfef42f4f85aaf798f84beea0bf656fa
redhat/9/updates/i386/mysql-devel-3.23.58-1.90.6.legacy.i386.rpm
dc24c3c52eeb2874b3547b0d2347e214b321da02
redhat/9/updates/i386/mysql-server-3.23.58-1.90.6.legacy.i386.rpm
4f713ffcf56fd07d19e12f291a87a4feea6fbd23
redhat/9/updates/SRPMS/mysql-3.23.58-1.90.6.legacy.src.rpm
ed3ddb39dbadf121a87348c9b7cfb3d6fc3917c4
fedora/1/updates/i386/mysql-3.23.58-4.4.legacy.i386.rpm
3c57f554ed37cbb29e05773c1527f389f4601b16
fedora/1/updates/i386/mysql-bench-3.23.58-4.4.legacy.i386.rpm
d08b91055dae251b192de109a453a4bbe03828c9
fedora/1/updates/i386/mysql-devel-3.23.58-4.4.legacy.i386.rpm
950b5116ba77127478cb02d5a9b7e23711376daf
fedora/1/updates/i386/mysql-server-3.23.58-4.4.legacy.i386.rpm
56257305e480c2db1669de92024033f7bb9f1702
fedora/1/updates/SRPMS/mysql-3.23.58-4.4.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v lt;filenamegt;

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum lt;filenamegt;

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711

9. Contact:

The Fedora Legacy security contact is lt;secnotice@fedoralegacy.orggt;. More project details at http://www.fedoralegacy.org


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/flsa_2005152925_updated_mysql_packages_fix_security_issues.html)