Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0123 MySQL Community Server 5.6.4 has been released 21 December 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: MySQL prior to 5.6.4 Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade Member content until: Friday, January 20 2012 OVERVIEW A number of bugs have been fixed in MySQL 5.6.4 which could potentially be exploited. IMPACT "Previously, MySQL servers from 5.1 and up refused to open ARCHIVE tables created in 5.0 because opening them caused a server crash. The server now can open 5.0 ARCHIVE tables, and REPAIR TABLE updates them to the format used in 5.6. However, the recommended upgrade procedure is still to dump 5.0 ARCHIVE tables before upgrading and reload them after upgrading. (Bug #48633, Bug #11756687)" [1] "Security Enhancement: Replication: The START SLAVE statement now accepts USER and PASSWORD options. By default, MySQL native authentication is used, and the user name and password are stored in the master.info repository. This behavior can be overridden by additionally specifying the name (DEFAULT_AUTH) and location (PLUGIN_DIR) of an authentication plugin when issuing START SLAVE. (Bug #13083642)" [1] "A derived table with more than 64 columns caused a server crash. (Bug #13354889)" [1] "ARCHIVE tables with NULL columns could cause server crashes or become corrupt under concurrent load. (Bug #51252, Bug #11758979)" [1] "For FEDERATED tables, loss of connection to the remote table during some insert operations could cause a server crash. (Bug #34660, Bug #11747970)" [1] MITIGATION It is recommended that users upgraded to the latest version of MySQL which is available from the MySQL website at: http://dev.mysql.com/downloads/mysql/ REFERENCES [1] Changes in MySQL 5.6.4 (20 December 2011 Milestone 7) http://dev.mysql.com/doc/refman/5.6/en/news-5-6-4.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTvJ0AO4yVqjM2NGpAQLouw//ZRZEPPt8D5VrxssHeKe79BjDBllLMQQd FW7g9x+CHgdgKTNwL+TVMDPKElOJdtiEl77+sDmDSFi8tIxchCu7dCQ++O6rqLfI wTMIgBR7Yfx/a+SqWGqjMyKmTciqAT5WGaagxGT3m9L8i2V0ZkurCrdLrWwXBeSU /TU4VEGPFhq7mO6HKAXDt9cE1Ic3MeT+Yv9RmaautPGXOEBYd9BI6R9SKzhUjzJ+ 39rr8CHsKx1Rxma4UOYikj5GUgZeq3jrkETRxbjqTBLmWzrGBc/oiRcX/Jls0Hd5 HjmEaMIkhFJhYo9ztPRz04IA8LedwaTn8JzKXVfwFuC86nRcbq0UHUvTuYAjKG8+ +4jBT0TnUg0OyaoC9LZsSpONb1R6hDscnSzQ8JCwCqaJy9sOX+5AV2rAAkC39Qad O6UPWj+zMkIsP3F5g3m+AOUV6jrmL1C5RhMOF+U/Qt/nOTHDtrEnUEJNgdIi3ZvF tKL9eJ13j+hRDMO60CUuKB0CgqNulWhkHEXejkT3HvIadnk/Rc/X3wjAdkTuglHw eJ5BfI5JVHSoeNBXC6T/4zwcfdF4mW4XmA8cQphzVwgfrvS8FfU3DTtvL4byc8SF f40ehNggaGkW54EAYQB5SgAZSh4FRhQCQkxu82B+1Y2M9okD+9MnTjcv+El7vdkn 7VAsGJ0zCZI= =8BVc -----END PGP SIGNATURE-----