Bug 152925 - MySQL CAN-2005-0709, -0710, -0711 Remote Vulnerabilities
MySQL CAN-2005-0709, -0710, -0711 Remote Vulnerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mysql (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://secunia.com/advisories/14547/
LEGACY, 1, rh90, rh73
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-18 05:17 EST by John Dalbec
Modified: 2007-04-18 13:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 22:09:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:32:34 EST
05.11.14 CVE: CAN-2005-0709, CAN-2005-0710, CAN-2005-0711
Platform: Cross Platform
Title: MySQL AB Multiple Remote Vulnerabilities
Description: MySQL is vulnerable to multiple remote vulnerabilities.
The issues include insecure temporary file creation, insufficient
sanitization of input and remote arbitrary code execution. MySQL
released version 4.0.24 and 4.1.10a to address these issues.
Ref: http://secunia.com/advisories/14547/ 

(2) LOW: MySQL Database Multiple Vulnerabilities
Affected:
MySQL version 4.0.23 and prior, version 4.1.10

Description: MySQL database contains vulnerability in "CREATE FUNCTION"
procedure that may be exploited to execute arbitrary code with the
privileges of the "mysql" user. Another vulnerability in the "udf_init"
function allows an authenticated user to load functions from an
arbitrary library into the database. In order to exploit these flaws,
an attacker needs the credentials to invoke "INSERT" and "DELETE"
procedures on the MySQL administrative database (typically available to
"root" user). Proof-of-concept exploits have been included in the
discoverer's postings. It is worth pointing out that a similar privilege
escalation vulnerability was exploited by a worm in January 2005 by
targeting the Windows MySQL installations with weak "root" passwords.

Status: MySQL has confirmed the flaws. Version 4.0.24 and 4.1.10a have
been released to address the issues. A workaround to prevent attacks
originating from the Internet is to choose strong MySQL "root" and other
user passwords.

Council Site Actions: Most of the council sites are responding to this
item.   Some sites have already upgraded to the fixed version and other
sites plan to upgrade during their next regularly scheduled system
update process.   In addition, several sites commented that they have
no Internet exposure to this problem. One site is investigating if the
3.x series is vulnerable as well. If so they will install the updated
packages produced by Linux vendors, as they become available.

References:
Posting by Stefano Di Paola
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0084.html   
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0083.html 
Vendor Homepage
http://www.mysql.com  
SecurityFocus BID
http://www.securityfocus.com/bid/12781



------- Additional Comments From pekkas@netcore.fi 2005-03-18 09:21:12 ----

It is not clear whether these affect 3.23.5x series, which are the only ones
we're shipping.  Only those with 4.x.x have released updates.  We'll see..



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:32 -------

This bug previously known as bug 2457 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2457
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:37:33 EDT
Must remember to include fix for bug 152531
Comment 2 Marc Deslauriers 2005-04-14 08:23:45 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated mysql packages to QA.

Changelog:
* Wed Apr 13 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 3.23.58-4.4.legacy
- - Backpatch repair for CAN-2005-0709, CAN-2005-0710, CAN-2005-0711
- - Fix init script to not need a valid username for startup check
- - Don't assume /etc/my.cnf will specify pid-file
- - add sleep to mysql.init restart();

7.3:
acf1197f83afc62663ce859fa6537890a7041f2a  mysql-3.23.58-1.73.6.legacy.i386.rpm
b306c6364d8a4e2233f86babf095a0c06bf8b4a8  mysql-3.23.58-1.73.6.legacy.src.rpm
bd7311def0d413335218fcaf405ed1184091c572  mysql-devel-3.23.58-1.73.6.legacy.i386.rpm
de55232735b74f822bba37271bfc568cbfee4128 
mysql-server-3.23.58-1.73.6.legacy.i386.rpm

9:
15269c3a6cf8d83a153dc471d79eb0aa43550faf  mysql-3.23.58-1.90.6.legacy.i386.rpm
5c6999fed7f26ffe64b6312553b21effd02f98d8  mysql-3.23.58-1.90.6.legacy.src.rpm
9b8dea4bf3b714763b60d017d53d37ea943b910c  mysql-devel-3.23.58-1.90.6.legacy.i386.rpm
1783060cb1880b9eb5c62ca8db0a110c9a4d21d8 
mysql-server-3.23.58-1.90.6.legacy.i386.rpm

1:
172df111c6c0a5bcca47c49124c81ee9c6de552f  mysql-3.23.58-4.4.legacy.i386.rpm
31e458b885c5a3b984871ed0706ace39c36553b6  mysql-3.23.58-4.4.legacy.src.rpm
fddc5af88a99c370302b70d376342f0a63280d43  mysql-bench-3.23.58-4.4.legacy.i386.rpm
a2e0848519566468a9341b05095f6e9b6b7c88be  mysql-devel-3.23.58-4.4.legacy.i386.rpm
112ea43637d503520aefe13b51e6a907953b2def  mysql-server-3.23.58-4.4.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-devel-3.23.58-1.73.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-server-3.23.58-1.73.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-devel-3.23.58-1.90.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mysql-server-3.23.58-1.90.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-bench-3.23.58-4.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-devel-3.23.58-4.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mysql-server-3.23.58-4.4.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCXmC5LMAs/0C4zNoRAutUAJ0TP4Kes2OmOVGvNERIWF6SEI5fmACgwjl6
R4H4Hd7rFwDbWGVab4bDWoM=
=wd8i
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2005-04-16 11:44:12 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - init script changes identical to those in RHEL3
 - spec file changes minimal
 - the patches are identical to RHEL3, with ome difference: with our patch,
   one variable is initalized to zero, RHEL3 doesn't do this.  Shouldn't be
   an issue.

+PUBLISH RHL73,RHL9,FC1

b306c6364d8a4e2233f86babf095a0c06bf8b4a8  mysql-3.23.58-1.73.6.legacy.src.rpm
5c6999fed7f26ffe64b6312553b21effd02f98d8  mysql-3.23.58-1.90.6.legacy.src.rpm
31e458b885c5a3b984871ed0706ace39c36553b6  mysql-3.23.58-4.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCYTGYGHbTkzxSL7QRAqxJAKCAqy0btCYPV9AwozBbm29iuJN7iwCgmcb7
RxI2Hwffv5J3vp9NdMfOzkk=
=yI9p
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2005-05-02 08:07:14 EDT
Packages were pushed to updates-testing
Comment 5 Pekka Savola 2005-05-03 06:21:57 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL73.
 
Installed all the mysql packages.  Mysql restarted fine, and horde/imp,
using mysql as a backend also worked OK.  Seems to be working fine..
 
+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCd1CdGHbTkzxSL7QRAgeyAJ9ps7nH/90oXg+B1cE1+UqYq710LACgjSB8
swipcV5ozbgdTvTIsGXu/xk=
=UcFK
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2005-06-16 08:41:23 EDT
1 verify, timeout in 4 weeks.
Comment 7 Pekka Savola 2005-07-15 01:43:03 EDT
Timeout over.
Comment 8 Marc Deslauriers 2005-07-15 22:09:44 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.