ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-559-1] MySQL vulnerabilities (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Fri, 21 Dec 2007 02:25:53 -0500
From: Jamie Strandboge <jamie@ubuntu.com>
Subject: [USN-559-1] MySQL vulnerabilities
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <476B6A81.2010403@ubuntu.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================
Ubuntu Security Notice USN-559-1 December 21, 2007
mysql-dfsg-5.0 vulnerabilities
CVE-2007-3781, CVE-2007-5925, CVE-2007-5969, CVE-2007-6304
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
mysql-server-5.0 5.0.22-0ubuntu6.06.6
Ubuntu 6.10:
mysql-server-5.0 5.0.24a-9ubuntu2.2
Ubuntu 7.04:
mysql-server-5.0 5.0.38-0ubuntu1.2
Ubuntu 7.10:
mysql-server-5.0 5.0.45-1ubuntu3.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Joe Gallo and Artem Russakovskii discovered that the InnoDB
engine in MySQL did not properly perform input validation. An
authenticated user could use a crafted CONTAINS statement to
cause a denial of service. (CVE-2007-5925)
It was discovered that under certain conditions MySQL could be
made to overwrite system table information. An authenticated
user could use a crafted RENAME statement to escalate privileges.
(CVE-2007-5969)
Philip Stoev discovered that the the federated engine of MySQL
did not properly handle responses with a small number of columns.
An authenticated user could use a crafted response to a SHOW
TABLE STATUS query and cause a denial of service. (CVE-2007-6304)
It was discovered that MySQL did not properly enforce access
controls. An authenticated user could use a crafted CREATE TABLE
LIKE statement to escalate privileges. (CVE-2007-3781)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
Size/MD5: 141921 40e1d18994ea5a2e16ccf3eef8c0a911
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.6.dsc
Size/MD5: 1114 7aa7ca42455917698c49302d539892a8
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22.orig.tar.gz
Size/MD5: 18446645 2b8f36364373461190126817ec872031
Architecture independent packages:
Size/MD5: 37754 2915fa7c33ff76a2e183816418bcded0
Size/MD5: 40312 3b28fd6e3093d53825d62f2c1c426c32
Size/MD5: 37770 4bd41396ac1894731767c88e8f9c8232
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 6726240 7f68410d71f3352824a1e39eadebc419
Size/MD5: 1422674 a29baedbd28f9bda6ac5954b781ee61c
Size/MD5: 6895744 79e7fe07f1b5273fb6e2f72484e87e1d
Size/MD5: 22491720 e59ef66c1407e0a90a7da496e31d4c0b
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 6140278 01f928a13794100da0550c5b1b3cec2b
Size/MD5: 1383144 3ae36b6ed7eeb21cf07eeb70fc9e53b7
Size/MD5: 6278624 7e242e531b9dd0118a489f4116eeb0f5
Size/MD5: 21349884 a4ef0a9c708a185699459bbd45607ee7
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 6883962 38ba7a79cd5e5169026da0e270882e6e
Size/MD5: 1463000 edd6bb6971756d067112dd6c26a86001
Size/MD5: 6941234 bf394436feb776a8aeda5b16457c5f3c
Size/MD5: 22704566 99dcc9a353254c143856e395305bd101
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 6432404 4b323e0bc9352197a2591359a34aa807
Size/MD5: 1435102 8c26a0b526c03e9c1047142a25d8807f
Size/MD5: 6537102 95f61eb52cd6d8cddf43fb44b322021c
Size/MD5: 21971462 edcc3bed7c9ac7c2790edf7cded3e649
Updated packages for Ubuntu 6.10:
Source archives:
Size/MD5: 149067 f04852bbacfddca8991b0420a81dcb80
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.24a-9ubuntu2.2.dsc
Size/MD5: 1110 e03c714b3ec22f193a971c1ae34fee26
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.24a.orig.tar.gz
Size/MD5: 18663598 9641fcc4f34b4a2651d1aabb3b72a971
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.24a-9ubuntu2.2_all.deb
Size/MD5: 40362 6f1d636329390524f63dd3f022a73e75
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.24a-9ubuntu2.2_all.deb
Size/MD5: 42986 ddd15240f1c19ae8db569743ef5334e0
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.24a-9ubuntu2.2_all.deb
Size/MD5: 40366 c5e28987c4c7e229fd6ae6fe01532efc
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 7293944 55c4574a4da347fd135317a27e273da9
Size/MD5: 1815434 c374c8ca2221c56d52c537757ced9034
Size/MD5: 7433576 45a6f46238e8a43f940b2080b69eb3b5
Size/MD5: 25706086 9978736b222efce82d4f9a8b7e4b92aa
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 6813754 cc1ba614f333de07dde1ebb994651f61
Size/MD5: 1760776 db41b41a4465a3647164dfe6ece3a53c
Size/MD5: 6956664 97defed52d6597360e3b3700b1fb7786
Size/MD5: 24938848 e7051bd9e028cb850688b34465f19946
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 7436334 c14b7374b69367d08ae0646add7d829b
Size/MD5: 1810506 078014c219ea6f1f7544f54326a018c3
Size/MD5: 7472414 79bb19069998f114e18145d5f00c16c0
Size/MD5: 26070992 3e26ae18945c62d09a63f64b6923ab87
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 6943116 92e63c7e8694efe060c89d460f837be7
Size/MD5: 1771892 c98ecf696f68bfd882b34f8cedeb0900
Size/MD5: 7049186 9fcd861ec4a1cd24849db4b878db7383
Size/MD5: 25303482 162f79d00d400b32db3b92ef9c01d00d
Updated packages for Ubuntu 7.04:
Source archives:
Size/MD5: 153438 ef62a333a3e59de972f807558ced7034
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.38-0ubuntu1.2.dsc
Size/MD5: 1209 22d39c64b9a362753bc1373d9e1e441d
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.38.orig.tar.gz
Size/MD5: 16602385 c661bce63e01401455c2273bfb170a8d
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.38-0ubuntu1.2_all.deb
Size/MD5: 46082 3d0af7f1709fc4a8b5bf013f87dc22fd
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.38-0ubuntu1.2_all.deb
Size/MD5: 54792 44aac2f8f2fa0bc1eec6861f7800a219
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.38-0ubuntu1.2_all.deb
Size/MD5: 48154 9b1f82341ec96b514ba1675c2a242977
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 7451190 cb4977b40f91a4ef78fe821948e1ec09
Size/MD5: 1892364 3a44465d3c9d3b2f723eca53a43b46f8
Size/MD5: 7851686 56c61b5002654a5538dafaf659139759
Size/MD5: 48180 2298a04b4ff07ddb1dd6a990e49f6deb
Size/MD5: 26506712 41ee4288475bcc5243455cc09cd32507
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 6953080 4d1ae584c3a31f66103201aeec2a8d1b
Size/MD5: 1835192 0fc487e2ac10d92f0800ddddf061a529
Size/MD5: 7362478 d8c155d448c90534c7244428220bdcb6
Size/MD5: 48180 335ea55a4890713d76ae3ae4ed56fbab
Size/MD5: 25741160 787646346281f3e673e6b68c80070123
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 7654750 3ba22a1b17259f91536314a048068dea
Size/MD5: 1918850 8793cd7a12c508d5b46d5a4405ac83cb
Size/MD5: 7913920 a6d8648435ed8ba792f768fbe780ca29
Size/MD5: 48182 787fe3f1cd991df796ff73425af04c96
Size/MD5: 26977992 ad88410e4f4e67dd16226e5486b134c2
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 7080522 cd75c7a5623f3aa0e8fba838e00af7db
Size/MD5: 1839862 7561b5ed23dfc352d3735fa0889f40e7
Size/MD5: 7440200 d84dc6636004ed177d701464b8fd95d2
Size/MD5: 48186 c192d5612ffe2bbe58e1dccd8557557c
Size/MD5: 26108944 2693f0df9adf1b3e3385b754419f932c
Updated packages for Ubuntu 7.10:
Source archives:
Size/MD5: 226879 f86c497381e85035d01e960984463744
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45-1ubuntu3.1.dsc
Size/MD5: 1294 7c1ea6a3f11cbbc789b0ce04b6c7cab6
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45.orig.tar.gz
Size/MD5: 17801680 ab450aa2e9b89f3b4e01fd12375b1bee
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.45-1ubuntu3.1_all.deb
Size/MD5: 47882 8c3203d2e059fa8b12eec99477182e84
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.45-1ubuntu3.1_all.deb
Size/MD5: 56096 f9ba8c213cd4acd2e746133dd003cd17
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.45-1ubuntu3.1_all.deb
Size/MD5: 50086 06643f8a4e1e32fc0a2553c014f41a34
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 7561574 594eca4cca9385eafd1c8b7ccd0c174c
Size/MD5: 1916426 16b9b9213bc9e07fa7bc3b8ee076c137
Size/MD5: 7993858 f6e3fc5e491b48f35d9c9a56a13f9c98
Size/MD5: 27569922 75beac5263e4ffcbf22dbec2c5e32367
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 7041790 ea800c66c62fb0f4104f146922f50ea5
Size/MD5: 1866558 276490a6631383da38fd29646c6dc59a
Size/MD5: 7492504 69b7c57e96c3d29c6b1c4578da4b140f
Size/MD5: 26790230 b14cc79dffd9a275b96bd7adab684908
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 7760452 9dd75562723b8f1538c8bd8bf9367488
Size/MD5: 1948396 33d46b210ff86729e1935dd5b9ce4282
Size/MD5: 8062892 5bcfc4169e092cd96cf15f04e59a7aa4
Size/MD5: 28019590 301db28c2cd5bff8ec8ee744f98244bb
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 7170918 bd107418a5eb151e04f7e84588d93a5c
Size/MD5: 1876020 2dedeeb2044860de9ecd27d916d84a25
Size/MD5: 7581194 ad3059820781ba974181633c111925bc
Size/MD5: 27136130 7958e87a59ce7a6d93eed492fa9bd2cf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHa2qAW0JvuRdL8BoRAu0DAJ9PSVPtyHD+WIPsN14WAanvzBUpigCcDwpX
uD/bXnJjooTHGIq8TsNpWzY=
=Dk7q
-----END PGP SIGNATURE-----
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 39, Issue 11
********************************************************
No comments:
Post a Comment