Bulletin d'alerte Debian

DSA-562-1 mysql -- Plusieurs vulnérabilités

Date du rapport:

11 octobre 2004

Paquets concernés:

mysql

Vulnérabilité:

Oui

Références dans la base de données de sécurité:

Dans le dictionnaire CVE du Mitre : CVE-2004-0835, CVE-2004-0836, CVE-2004-0837.

Pour plus d'information:

Plusieurs problèmes ont été découverts dans MySQL, une base de données très utilisée sur les serveurs Unix. Le projet « Common Vulnerabilities and Exposures » a identifié les problèmes suivants :

CAN-2004-0835
Oleksandr Byelkin a signalé que la commande ALTER TABLE ... RENAME vérifie les droits CREATE/INSERT de l'ancienne table au lieu de la nouvelle.
CAN-2004-0836
Lukasz Wojtow a signalé un dépassement de tampon dans la fonction mysql_real_connect.
CAN-2004-0837
Dean Ellis a signalé que plusieurs processus qui ALTERent les mêmes (ou des différentes) tables MERGE pour changer l'UNION peuvent causer le plantage du serveur ou son ralentissement.

Pour l'actuelle distribution stable (Woody), ces problèmes ont été corrigés dans la version 3.23.49-8.8.

Pour la distribution instable (Sid), ces problèmes ont été corrigés dans la version 4.0.21-1.

Nous vous recommandons de mettre à jour votre paquet mysql et ceux qui y sont liés, et de redémarrer les services qui s'en servent (par exemple, Apache/PHP).

Corrigé dans:

Debian GNU/Linux 3.0 (woody)

Source :: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.8.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.8.diff.gz; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
Composant indépendant de l'architecture :: http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.8_all.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.5_all.deb
Alpha:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.8_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.8_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.8_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.8_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.