[Technik] [SECURITY] [DSA 1608-1] New mysql-dfsg-5.0 packages fix authorization bypass

Noèl Köthe noel at debian.org
Sat Jul 19 22:11:21 CEST 2008 

Am Sonntag, den 13.07.2008, 04:55 +0000 schrieb Devin Carraway:

> Debian Security Advisory DSA-1608-1                security at debian.org
> http://www.debian.org/security/                         Devin Carraway
> July 13, 2008                       http://www.debian.org/security/faq
> 
> Package        : mysql-dfsg-5.0
> Vulnerability  : authorization bypass
> Problem type   : remote
> Debian-specific: no
> CVE Id(s)      : CVE-2008-2079
> Debian Bug     : 480292

mysql auf h01, h02, h03, h04, h51, h52, h90 und wasco aktualisiert.
Durch den benötigten mysql Neustart kam es zu kurzer
Nichterreichbarkeit/Ausfall des mysql Dienstes.

> For the stable distribution (etch), this problem has been fixed in
> version 5.0.32-7etch6.  Note that the fix applied will have the
> consequence of disallowing the selection of data or index paths
> under the database root, which on a Debian system is /var/lib/mysql;
> database administrators needing to control the placement of these
> files under that location must do so through other means.

changelog:
mysql-dfsg-5.0 (5.0.32-7etch6) stable-security; urgency=high

  * Non-maintainer upload by the security team.
  * Backport a corrected form of upstream's fix for CVE-2008-2079, which
    allowed local users to bypass authorization checks by creating MyISAM
    tables using specific DATA DIRECTORY or INDEX DIRECTORY arguments within
    the MySQL data directory subsequently used by tables in other databases to
    which they would not normally have access.  Note that this alters the
    behavior of table creation in that it disallows specification of data or
    index directories in or under mysqld's own homedir.
  * Adjust 95_SECURITY_CVE-2007-3781.dpatch, introduced in 5.0.32-7etch4, so
    as not to drop a spurious rejected patch file during the build.

 -- Devin Carraway <devin at debian.org>  Tue,  6 Jul 2008 07:59:50 +0000

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20080719/055f2375/attachment.pgp

More information about the Technik mailing list