Bug 420231 (CVE-2007-6303)

Summary: CVE-2007-6303 mysql: DEFINER value of view not altered on ALTER VIEW
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6303
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-19 16:36:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 422161, 422171, 422211, 424921, 424931    
Bug Blocks:    

Description Tomas Hoger 2007-12-11 17:56:51 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6303 to the following vulnerability:

MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.

References:

http://bugs.mysql.com/bug.php?id=29908
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html
http://dev.mysql.com/doc/refman/6.0/en/news-6-0-4.html
Comment 3 Tomas Hoger 2007-12-13 08:45:29 UTC 
This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux
2.1, 3, 4, or 5.

Problem affected mysql as shipped in Red Hat Application Stack v1 and v2 and
Fedora.  Issue was rated as having low security impact and may be addressed in
future mysql updates for affected products.
Comment 8 Tomas Hoger 2007-12-19 16:36:35 UTC 
Problem was fixed in all affected supported products:

Red Hat Application Stack:  	
  http://rhn.redhat.com/errata/RHSA-2007-1157.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4471
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4465