[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 667/05 - Debian - New mysql packages fix insecure temporary file [DSA 783-1]



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 667/05 dated 24.08.05  Time: 14:10  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Debian - New mysql packages fix insecure temporary file [DSA 783-1]


Detail
====== 


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 783-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
August 24th, 2005                       http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : mysql-dfsg-4.1
Vulnerability  : insecure temporary file
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-1636
BugTraq ID     : 13660
Debian Bug     : 319526

Eric Romang discovered a temporary file vulnerability in a script
accompanied with MySQL, a popular database, that allows an attacker to
execute arbitrary SQL commands when the server is installed or
updated.

The old stable distribution (woody) as well as mysql-dfsg are not
affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 4.1_4.1.11a-4sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 4.1.12 for mysql-dfsg-4.1 and 5.0.11beta-3 of mysql-dfsg-5.0.

We recommend that you upgrade your mysql packages.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge1.dsc
      Size/MD5 checksum:     1021 13739557cb2a080e28e4d8b8d3c74b3c
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge1.diff.gz
      Size/MD5 checksum:   162785 ebabe63abfbe2c9cf4a56fb9515d99dd
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
      Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3

  Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge1_all.deb
      Size/MD5 checksum:    35642 abfc7caa37c13c6861ec88cf196ef1be

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_alpha.deb
      Size/MD5 checksum:  1589514 7ef6a2aaa7323251d2367fed743356a9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_alpha.deb
      Size/MD5 checksum:  7963364 4bb4ee99603b3c0918f9ef4ae8284ae1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_alpha.deb
      Size/MD5 checksum:   999878 77f29c811d6515c8affffeec74c4bb7f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_alpha.deb
      Size/MD5 checksum: 17484624 1149856989da8e133f38c3d59d96b30c

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_amd64.deb
      Size/MD5 checksum:  1450326 9f45715323978f3f7c7e40267aec2ea4
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_amd64.deb
      Size/MD5 checksum:  5548998 c6365b2f962fc2092e6466c7e2c4b125
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_amd64.deb
      Size/MD5 checksum:   848544 b2584efe95149b344eb3c6205da2368e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_amd64.deb
      Size/MD5 checksum: 14709540 1b1ca0bae85285d5b385495728f06af2

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_arm.deb
      Size/MD5 checksum:  1388076 0be4eec4f3929bf0b7964157fa76accc
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_arm.deb
      Size/MD5 checksum:  5557616 265a5c7293a18ea7f268bbbb4660f0fe
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_arm.deb
      Size/MD5 checksum:   835746 f8f6416e44435b01068176a1ac98de0f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_arm.deb
      Size/MD5 checksum: 14555588 f8922b999f0b2f620853f3239b049fc9

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_i386.deb
      Size/MD5 checksum:  1416468 a8d52b676ff4ff91d413ff9324450036
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_i386.deb
      Size/MD5 checksum:  5641628 2d20f8b3174a6a9a19121a5e498bd5c9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_i386.deb
      Size/MD5 checksum:   829580 1a4df96b603f27f7c2b139c1dd055460
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_i386.deb
      Size/MD5 checksum: 14556398 fe1c3f25184baab2bb0095b32c77a797

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_ia64.deb
      Size/MD5 checksum:  1711768 fda64e2e04286a2fdd67d2e86a905fb0
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_ia64.deb
      Size/MD5 checksum:  7780852 853e3a49046d46af94ceef13ebb51c29
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_ia64.deb
      Size/MD5 checksum:  1049644 b00ce1514972089cf719b85604808bde
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_ia64.deb
      Size/MD5 checksum: 18474664 85e75b5428af17ec8ef0629cf57c321e

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_hppa.deb
      Size/MD5 checksum:  1550180 c5dd256372cd9627eb4dbd9582dce728
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_hppa.deb
      Size/MD5 checksum:  6249180 039c8b4f93c713e967d301fea234292e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_hppa.deb
      Size/MD5 checksum:   909078 94164738f1978a1eadedb4014c38097e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_hppa.deb
      Size/MD5 checksum: 15786540 bd9c9386dcacf37a1802160c21f87712

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_m68k.deb
      Size/MD5 checksum:  1396690 dfac1efd2c57ee8c1e5c8e3439e439bf
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_m68k.deb
      Size/MD5 checksum:  5282688 ed08875a118d9237d00f3e3011b1dac1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_m68k.deb
      Size/MD5 checksum:   802834 e5ab7837ea28d267bfe698fee03cbba6
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_m68k.deb
      Size/MD5 checksum: 14069986 f869a37931dfb86519458a9d48747f96

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_mips.deb
      Size/MD5 checksum:  1477766 fb7a8d1fb9d4607d7172c36032ebcbbb
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_mips.deb
      Size/MD5 checksum:  6051760 6e97430bc9b02e866e04414e627f9f4c
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_mips.deb
      Size/MD5 checksum:   903542 f99636d7c17d9b9647c34d3dd3379c2d
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_mips.deb
      Size/MD5 checksum: 15407442 36eaf9d65e7c4dcaeff920389c6bd890

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_mipsel.deb
      Size/MD5 checksum:  1445230 a850a8ef0b9860fdea3530e9c20ca155
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_mipsel.deb
      Size/MD5 checksum:  5969356 4f65edebdd67451ff9f98d350d8de26f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_mipsel.deb
      Size/MD5 checksum:   889146 f7f3a001055f08d94598a0829a76aaf2
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_mipsel.deb
      Size/MD5 checksum: 15103070 c204dcfe3af004201336df429d02972f

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_powerpc.deb
      Size/MD5 checksum:  1475306 a9a981440a13e4da0f3f1eb28df8e178
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_powerpc.deb
      Size/MD5 checksum:  6024926 72553153e08c80d0d52a8abc5634c61b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_powerpc.deb
      Size/MD5 checksum:   906294 6952b08aabe467261f3501fe9863d2cf
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_powerpc.deb
      Size/MD5 checksum: 15402300 a8052df1923122ec2fd18d5a3aa5c125

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_s390.deb
      Size/MD5 checksum:  1537478 d53485497a6fc99eb0186857fc799963
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_s390.deb
      Size/MD5 checksum:  5460684 2a11f9f50e74053a17679d59ffea44ad
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_s390.deb
      Size/MD5 checksum:   883270 61d8ef6a6d11ca03c84bf359a004e2e8
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_s390.deb
      Size/MD5 checksum: 15053878 1a9066f65b02545819ab1fddec62ba71

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_sparc.deb
      Size/MD5 checksum:  1459386 b801d56ac5282e4316a11c7e231bbac0
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_sparc.deb
      Size/MD5 checksum:  6205406 2cc5c4c174d61bf0f76b5fd9b75055f8
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_sparc.deb
      Size/MD5 checksum:   867260 b8d31122c0c678cd73c1ae2dba158fb0
    http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_sparc.deb
      Size/MD5 checksum: 15390174 f2ddbee863e67a62792dec779c3a9c2e


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDDBlxW5ql+IAeqTIRAk/rAKCVt2ll7jpAog/3K0Ctj/EOJJmABACbBFX/
AM1Kku5Kvd6FNi7X5D8BlRI=
=DGTi
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Debian for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQwxyDIpao72zK539AQGaVQP/bf+oSQzSNj30/APU/zJNExqvVBU5bw60
idFBNeVHzCLMo5vkN2DkEU8LUpdAMw3a5dT5x5JtGyP2jh030cjLrKc5Lx2W4TFo
hsD8hYpb4EQzBK7PF8ZrURZBEFvy7wboesx8PxYZHpT5Jdhbqb+x72UOuM6R30o0
KjLY0QTdhCY=
=D1xy
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________