secure@conectiva.com.br
17/12/02, 18:35
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : MySQL
SUMMARY : Several Vulnerabilities
DATE : 2002-12-17 11:51:00
ID : CLA-2002:555
RELEVANT
RELEASES : 6.0, 7.0, 8
- -------------------------------------------------------------------------
DESCRIPTION
MySQL is a very popular SQL database, distributed under the GNU-GPL
license.
Stefan Esser from e-matters[1] discovered several vulnerabilities in
the MySQL code that affect both the server and the client library
(libmysql) of MySQL.
The server vulnerabilities can be exploited to crash the MySQL
server, bypass password restrictions or even execute arbitrary code
with the privileges of the user running the server process.
The library ones consist in an arbitrary size heap overflow and a
memory addressing problem that can be both exploited to crash or
execute arbitrary code in programs linked against libmysql.
More details about each vulnerability can be found in the e-matters
security advisory[2].
The Common Vulnerabilities and Exposures project (cve.mitre.org) is
tracking these issues with the names CAN-2002-1373, CAN-2002-1374,
CAN-2002-1375 and CAN-2002-1376.
SOLUTION
We recommend that all MySQL users upgrade their packages as soon as
possible.
IMPORTANT: after the upgrade the mysql service must be restarted
manually. In order to do that, run the following command as root:
# /sbin/service mysql restart
It is also recomended to restart all programs linked against
libmysql. A list of such programs in execution can be obtained with
the following command:
# /usr/sbin/lsof | grep libmysql
REFERENCES:
1.http://www.e-matters.de/
2.http://security.e-matters.de/advisories/042002.html
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1373
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1374
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1375
6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1376
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-doc-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.36-14U60_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-bench-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-client-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-static-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-doc-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/MySQL-3.23.36-14U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-bench-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-client-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-static-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-doc-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/MySQL-3.23.46-4U80_2cl.src.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9/y0Q42jd0JmAcZARAs4oAJ9O1YoOF+jGa/4+NJuxpYKv1/XbxgCg4GKM
vJh9sl4q6/8ZALEwWsmMKbU=
=OzUs
-----END PGP SIGNATURE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : MySQL
SUMMARY : Several Vulnerabilities
DATE : 2002-12-17 11:51:00
ID : CLA-2002:555
RELEVANT
RELEASES : 6.0, 7.0, 8
- -------------------------------------------------------------------------
DESCRIPTION
MySQL is a very popular SQL database, distributed under the GNU-GPL
license.
Stefan Esser from e-matters[1] discovered several vulnerabilities in
the MySQL code that affect both the server and the client library
(libmysql) of MySQL.
The server vulnerabilities can be exploited to crash the MySQL
server, bypass password restrictions or even execute arbitrary code
with the privileges of the user running the server process.
The library ones consist in an arbitrary size heap overflow and a
memory addressing problem that can be both exploited to crash or
execute arbitrary code in programs linked against libmysql.
More details about each vulnerability can be found in the e-matters
security advisory[2].
The Common Vulnerabilities and Exposures project (cve.mitre.org) is
tracking these issues with the names CAN-2002-1373, CAN-2002-1374,
CAN-2002-1375 and CAN-2002-1376.
SOLUTION
We recommend that all MySQL users upgrade their packages as soon as
possible.
IMPORTANT: after the upgrade the mysql service must be restarted
manually. In order to do that, run the following command as root:
# /sbin/service mysql restart
It is also recomended to restart all programs linked against
libmysql. A list of such programs in execution can be obtained with
the following command:
# /usr/sbin/lsof | grep libmysql
REFERENCES:
1.http://www.e-matters.de/
2.http://security.e-matters.de/advisories/042002.html
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1373
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1374
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1375
6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1376
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-doc-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.36-14U60_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-bench-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-client-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-static-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-doc-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/MySQL-3.23.36-14U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-bench-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-client-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-static-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-doc-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/MySQL-3.23.46-4U80_2cl.src.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9/y0Q42jd0JmAcZARAs4oAJ9O1YoOF+jGa/4+NJuxpYKv1/XbxgCg4GKM
vJh9sl4q6/8ZALEwWsmMKbU=
=OzUs
-----END PGP SIGNATURE-----