Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0545 -- [RedHat] Low: mysql security and bug fix update 26 May 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mysql Publisher: Red Hat Operating System: Red Hat Linux 5 Impact: Inappropriate Access Increased Privileges Access: Existing Account CVE Names: CVE-2007-3782 CVE-2007-3781 CVE-2007-2692 CVE-2007-2691 CVE-2007-2583 CVE-2007-1420 CVE-2006-7232 CVE-2006-4227 CVE-2006-4031 CVE-2006-0903 Ref: ESB-2007.0949 ESB-2007.0687 ESB-2006.0402 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2008-0364.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: mysql security and bug fix update Advisory ID: RHSA-2008:0364-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0364.html Issue date: 2008-05-20 Updated on: 2008-05-21 CVE Names: CVE-2006-0903 CVE-2006-4031 CVE-2006-4227 CVE-2006-7232 CVE-2007-1420 CVE-2007-2583 CVE-2007-2691 CVE-2007-2692 CVE-2007-3781 CVE-2007-3782 ===================================================================== 1. Summary: Updated mysql packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not require privileges such as "SELECT" for the source table in a "CREATE TABLE LIKE" statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the "DROP" privilege for "RENAME TABLE" statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the "--skip-merge" option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using "GRANT EXECUTE". (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs: * a separate counter was used for "insert delayed" statements, which caused rows to be discarded. In these updated packages, "insert delayed" statements no longer use a separate counter, which resolves this issue. * due to a bug in the Native POSIX Thread Library, in certain situations, "flush tables" caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, "COND_refresh" has been replaced with "COND_global_read_lock", which resolves this issue. * mysqld crashed if a query for an unsigned column type contained a negative value for a "WHERE [column] NOT IN" subquery. * in master and slave server situations, specifying "on duplicate key update" for "insert" statements did not update slave servers. * in the mysql client, empty strings were displayed as "NULL". For example, running "insert into [table-name] values (' ');" resulted in a "NULL" entry being displayed when querying the table using "select * from [table-name];". * a bug in the optimizer code resulted in certain queries executing much slower than expected. * on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html All mysql users are advised to upgrade to these updated packages, which resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 194613 - CVE-2006-0903 Mysql log file obfuscation 202246 - CVE-2006-4031 MySQL improper permission revocation 216427 - CVE-2006-4227 mysql improper suid argument evaluation 232603 - CVE-2007-1420 Single MySQL worker can be crashed (NULL deref) with certain SELECT statements 240813 - CVE-2007-2583 mysql: DoS via statement with crafted IF clause 241688 - CVE-2007-2691 mysql DROP privilege not enforced when renaming tables 241689 - CVE-2007-2692 mysql SECURITY INVOKER functions do not drop privileges 248553 - CVE-2007-3781 CVE-2007-3782 New release of MySQL fixes security bugs 254012 - Mysql bug 20048: 5.0.22 FLUSH TABLES WITH READ LOCK bug; need upgrade to 5.0.23 256501 - mysql 5.0.22 still has a lot of bugs ; need upgrade 349121 - MySQL client will display empty strings as NULL (fixed in 5.0.23) 434264 - CVE-2006-7232 mysql: daemon crash via EXPLAIN on queries on information schema 435391 - mysql does not calculate thread stack size correctly for RHEL5 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/mysql-5.0.45-7.el5.src.rpm i386: mysql-5.0.45-7.el5.i386.rpm mysql-debuginfo-5.0.45-7.el5.i386.rpm x86_64: mysql-5.0.45-7.el5.i386.rpm mysql-5.0.45-7.el5.x86_64.rpm mysql-debuginfo-5.0.45-7.el5.i386.rpm mysql-debuginfo-5.0.45-7.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/mysql-5.0.45-7.el5.src.rpm i386: mysql-bench-5.0.45-7.el5.i386.rpm mysql-debuginfo-5.0.45-7.el5.i386.rpm mysql-devel-5.0.45-7.el5.i386.rpm mysql-server-5.0.45-7.el5.i386.rpm mysql-test-5.0.45-7.el5.i386.rpm x86_64: mysql-bench-5.0.45-7.el5.x86_64.rpm mysql-debuginfo-5.0.45-7.el5.i386.rpm mysql-debuginfo-5.0.45-7.el5.x86_64.rpm mysql-devel-5.0.45-7.el5.i386.rpm mysql-devel-5.0.45-7.el5.x86_64.rpm mysql-server-5.0.45-7.el5.x86_64.rpm mysql-test-5.0.45-7.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/mysql-5.0.45-7.el5.src.rpm i386: mysql-5.0.45-7.el5.i386.rpm mysql-bench-5.0.45-7.el5.i386.rpm mysql-debuginfo-5.0.45-7.el5.i386.rpm mysql-devel-5.0.45-7.el5.i386.rpm mysql-server-5.0.45-7.el5.i386.rpm mysql-test-5.0.45-7.el5.i386.rpm ia64: mysql-5.0.45-7.el5.i386.rpm mysql-5.0.45-7.el5.ia64.rpm mysql-bench-5.0.45-7.el5.ia64.rpm mysql-debuginfo-5.0.45-7.el5.i386.rpm mysql-debuginfo-5.0.45-7.el5.ia64.rpm mysql-devel-5.0.45-7.el5.ia64.rpm mysql-server-5.0.45-7.el5.ia64.rpm mysql-test-5.0.45-7.el5.ia64.rpm ppc: mysql-5.0.45-7.el5.ppc.rpm mysql-5.0.45-7.el5.ppc64.rpm mysql-bench-5.0.45-7.el5.ppc.rpm mysql-debuginfo-5.0.45-7.el5.ppc.rpm mysql-debuginfo-5.0.45-7.el5.ppc64.rpm mysql-devel-5.0.45-7.el5.ppc.rpm mysql-devel-5.0.45-7.el5.ppc64.rpm mysql-server-5.0.45-7.el5.ppc.rpm mysql-server-5.0.45-7.el5.ppc64.rpm mysql-test-5.0.45-7.el5.ppc.rpm s390x: mysql-5.0.45-7.el5.s390.rpm mysql-5.0.45-7.el5.s390x.rpm mysql-bench-5.0.45-7.el5.s390x.rpm mysql-debuginfo-5.0.45-7.el5.s390.rpm mysql-debuginfo-5.0.45-7.el5.s390x.rpm mysql-devel-5.0.45-7.el5.s390.rpm mysql-devel-5.0.45-7.el5.s390x.rpm mysql-server-5.0.45-7.el5.s390x.rpm mysql-test-5.0.45-7.el5.s390x.rpm x86_64: mysql-5.0.45-7.el5.i386.rpm mysql-5.0.45-7.el5.x86_64.rpm mysql-bench-5.0.45-7.el5.x86_64.rpm mysql-debuginfo-5.0.45-7.el5.i386.rpm mysql-debuginfo-5.0.45-7.el5.x86_64.rpm mysql-devel-5.0.45-7.el5.i386.rpm mysql-devel-5.0.45-7.el5.x86_64.rpm mysql-server-5.0.45-7.el5.x86_64.rpm mysql-test-5.0.45-7.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3781 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3782 http://www.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFINDIQXlSAg2UNWIIRAhSDAKCa1Uw5WVz5C0KGevCBV25X9G/GBgCfcKaD fEYwviVL9nFgEYQ3wbBPU0Y= =ZmS0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSDoY3yh9+71yA2DNAQJZOgP/ew0JU8VbrEzuejuHZnvGK3Xq7tytznHG MREXRMrB0VDWI9ZrvkVb4pj+luSooojnxLFLYflxhAJ9evniYy1pJNUkKKxARCya AJS/Hl12vHAH1Cs0Uga9weXv+GdkiYQ+ultzL80OuMJxVsMEXTvd0z/JM9EvrMvJ sb51VEvTCfM= =hAk+ -----END PGP SIGNATURE-----