Operating System:

[Debian]

Published:

29 January 2008

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0095 -- [Debian]
          New mysql-dfsg-5.0 packages fix several vulnerabilities
                              29 January 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              mysql-dfsg-5.0
Publisher:            Debian
Operating System:     Debian GNU/Linux
Impact:               Denial of Service
                      Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0227 CVE-2008-0226

Ref:                  AL-2008.0006

Original Bulletin:    http://www.debian.org/security/2008/dsa-1478

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1478-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
January 28, 2008                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : mysql-dfsg-5.0
Vulnerability  : buffer overflows
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-0226 CVE-2008-0227

Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL
implementation included in the MySQL database package, which could lead
to denial of service and possibly the execution of arbitrary code.

For the unstable distribution (sid), these problems have been fixed in
version 5.0.51-3.

For the stable distribution (etch), these problems have been fixed in
version 5.0.32-7etch5.

The old stable distribution (sarge) doesn't contain mysql-dfsg-5.0.

We recommend that you upgrade your mysql-dfsg-5.0 package.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- - -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz
    Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch5.diff.gz
    Size/MD5 checksum:   165895 05351b7ac0547d3666828c7eba89ee18
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch5.dsc
    Size/MD5 checksum:     1117 7d6a184cf5bda53d18be88728a0635c4

Architecture independent packages:

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch5_all.deb
    Size/MD5 checksum:    45636 c2d87b9755088b3a67851dc4867a67f8
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch5_all.deb
    Size/MD5 checksum:    47716 5c9311fc2072be8336424c648497303e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch5_all.deb
    Size/MD5 checksum:    53944 3a16dd0a2c795cf7e906c648844a9779

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_alpha.deb
    Size/MD5 checksum:  8912752 826f18c201582262ee622ed9e470a915
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_alpha.deb
    Size/MD5 checksum:  1950712 47215338ef678adf7ca6f80d9d60613e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_alpha.deb
    Size/MD5 checksum:  8407802 e6e87a2edaf5f0405473fb3f5c859b3f
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_alpha.deb
    Size/MD5 checksum: 27365718 f83e12f0f36c31b4dbd64ab7b1b6f01d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_alpha.deb
    Size/MD5 checksum:    47748 91489bb86084a9f6026c6156a4a5faa0

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_amd64.deb
    Size/MD5 checksum:  7376450 ba1c75fa6963352a0af68c4db08d0c12
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_amd64.deb
    Size/MD5 checksum:    47708 4a3047795b3030063a47c969cfe4c324
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_amd64.deb
    Size/MD5 checksum:  1830910 c24fc179d4fb37994b5af2cb8c405ff1
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_amd64.deb
    Size/MD5 checksum: 25939846 8b0e047de274ed90f69a76f22866561a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_amd64.deb
    Size/MD5 checksum:  7547346 003c7231b81203a50ec563ff5142a010

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_arm.deb
    Size/MD5 checksum:    47756 0145e1aa5ec02b5c60c2d78bbcd334a0
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_arm.deb
    Size/MD5 checksum: 25345622 2de813c86f1d10fb2df34d8b9de2336e
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_arm.deb
    Size/MD5 checksum:  6929754 8a6b3351769b567a468bc7dcb97a2141
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_arm.deb
    Size/MD5 checksum:  7204866 a8f69933d8081e753b76402e47e7a64a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_arm.deb
    Size/MD5 checksum:  1747880 8da665b5f04444dcde03321f24ca8e4b

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_hppa.deb
    Size/MD5 checksum:  1920486 cb9a2e86902dc3f174926fbd8397a969
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_hppa.deb
    Size/MD5 checksum:  8046116 1eb6b1199a2c0f6a8502008a2c6df376
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_hppa.deb
    Size/MD5 checksum: 27055710 085b261bf2ec3820e21ec73bb59f6caa
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_hppa.deb
    Size/MD5 checksum:    47708 c17ca051ebe8783fa120c4596e32d9c2
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_hppa.deb
    Size/MD5 checksum:  8003914 59650ba346b2af0d77afbac64e93cca8

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_i386.deb
    Size/MD5 checksum: 25370152 d615311235c5a9e6d85e7e77b4927d5d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_i386.deb
    Size/MD5 checksum:    47746 1040540bc74e34b67d9606a4368162a7
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_i386.deb
    Size/MD5 checksum:  6971870 90aae8d289cb3df24009c65b1af3b12d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_i386.deb
    Size/MD5 checksum:  7189880 6082aa213539a361cced40044161d108
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_i386.deb
    Size/MD5 checksum:  1793974 ab7cbdd14a9bff04066a865634ef1ce2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_ia64.deb
    Size/MD5 checksum:  9736902 1e93082931f1055cd4c1436caa0020f3
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_ia64.deb
    Size/MD5 checksum:    47710 3369d882bf2b99a05397aaeddf8bf864
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_ia64.deb
    Size/MD5 checksum:  2115340 472e412113e7ae0bb76853cf0167cd57
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_ia64.deb
    Size/MD5 checksum: 30408810 8c8982aae5e90c451b08f22bc2a5399d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_ia64.deb
    Size/MD5 checksum: 10341648 a5ef1b86109c465131ccfe5a9147bd74

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_mips.deb
    Size/MD5 checksum:  7655576 b92c42fbbd64a377fcc4277a1696ccdd
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_mips.deb
    Size/MD5 checksum:  1835994 2650808f606406336f55b31497bea015
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_mips.deb
    Size/MD5 checksum:  7749018 db3eb1fb41084f7cda145ecc1f808402
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_mips.deb
    Size/MD5 checksum:    47710 698fd659ef265c937dd045cfb2e9e28a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_mips.deb
    Size/MD5 checksum: 26338840 89c569b544aeb60ce6aae1c77d40965e

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_mipsel.deb
    Size/MD5 checksum:  1789510 2501eed6aaa7143a89f13e4bd9658ecf
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_mipsel.deb
    Size/MD5 checksum:    47718 ed3dc0fc53b78b2307dc4790ff82a174
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_mipsel.deb
    Size/MD5 checksum:  7640356 5417137e8b9632964ea0d67e8cd96416
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_mipsel.deb
    Size/MD5 checksum: 25845474 d379d4a5f900202d6244858d379aa46a
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_mipsel.deb
    Size/MD5 checksum:  7561164 31fa1242af6a762a92486aa327469d1f

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_powerpc.deb
    Size/MD5 checksum:  1832312 c6ab2b2c70aed56a7748eb0a5dd04c8c
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_powerpc.deb
    Size/MD5 checksum:  7573184 f43fb3a11284830b745346775073f92d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_powerpc.deb
    Size/MD5 checksum:  7511850 184e9e37e760f4bb3779385d134975db
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_powerpc.deb
    Size/MD5 checksum:    47708 a76913df77b9f358f88a66875dc13a46
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_powerpc.deb
    Size/MD5 checksum: 26164462 386da660c381925416238a51b0a847a4

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_s390.deb
    Size/MD5 checksum:    47714 7fa0b60bff0e106f6328b0b026566008
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_s390.deb
    Size/MD5 checksum: 26763646 544f49b13f6207c1a104dc9eef9e6dd9
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_s390.deb
    Size/MD5 checksum:  7413442 b70c6184c3b82ead175debdd569ab807
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_s390.deb
    Size/MD5 checksum:  7507380 f9cecc1ace4fd2455516986637490930
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_s390.deb
    Size/MD5 checksum:  1951732 d5eaad746a8db92889febd0da68f1ae5

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_sparc.deb
    Size/MD5 checksum:  7153228 566328488d67a3843b04689d76f0253d
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_sparc.deb
    Size/MD5 checksum:    47714 551a6f9a790b301d63c856ecab13be75
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_sparc.deb
    Size/MD5 checksum:  7013384 3915c6846d5ffce6e321b7e40006cb66
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_sparc.deb
    Size/MD5 checksum:  1797430 b0bd228090c8923d08c9b8ee84a1edb8
  http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_sparc.deb
    Size/MD5 checksum: 25425084 a9934459b8cde72354ffc463b2ec140f


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHnjjKXm3vHE4uyloRApi/AKCLKlM616TTchb0zEQ8K4cOCdgZhwCffa1J
oQ57J3yhzeNDDwqXdxLvhxM=
=6ogr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR56Akyh9+71yA2DNAQJfXAQAhE90+91KAlcC7qDn7fZ4vlfDeQkEmWyc
i/bhIUvHwUWiWur4az+Y1AIfFkUIm4/gPybtU2sCTd+o56Spg9nsv6SFO0J/T9rH
WqHVakCKU30R8xG8djoe4vQUdJofugFbZL3/bwT4SEoCeu85o6eVmomDIeK61lk6
XXn2CVQAJtE=
=tbm9
-----END PGP SIGNATURE-----