05.11.14 CVE: CAN-2005-0709, CAN-2005-0710, CAN-2005-0711 Platform: Cross Platform Title: MySQL AB Multiple Remote Vulnerabilities Description: MySQL is vulnerable to multiple remote vulnerabilities. The issues include insecure temporary file creation, insufficient sanitization of input and remote arbitrary code execution. MySQL released version 4.0.24 and 4.1.10a to address these issues. Ref: http://secunia.com/advisories/14547/ (2) LOW: MySQL Database Multiple Vulnerabilities Affected: MySQL version 4.0.23 and prior, version 4.1.10 Description: MySQL database contains vulnerability in "CREATE FUNCTION" procedure that may be exploited to execute arbitrary code with the privileges of the "mysql" user. Another vulnerability in the "udf_init" function allows an authenticated user to load functions from an arbitrary library into the database. In order to exploit these flaws, an attacker needs the credentials to invoke "INSERT" and "DELETE" procedures on the MySQL administrative database (typically available to "root" user). Proof-of-concept exploits have been included in the discoverer's postings. It is worth pointing out that a similar privilege escalation vulnerability was exploited by a worm in January 2005 by targeting the Windows MySQL installations with weak "root" passwords. Status: MySQL has confirmed the flaws. Version 4.0.24 and 4.1.10a have been released to address the issues. A workaround to prevent attacks originating from the Internet is to choose strong MySQL "root" and other user passwords. Council Site Actions: Most of the council sites are responding to this item. Some sites have already upgraded to the fixed version and other sites plan to upgrade during their next regularly scheduled system update process. In addition, several sites commented that they have no Internet exposure to this problem. One site is investigating if the 3.x series is vulnerable as well. If so they will install the updated packages produced by Linux vendors, as they become available. References: Posting by Stefano Di Paola http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0084.html http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0083.html Vendor Homepage http://www.mysql.com SecurityFocus BID http://www.securityfocus.com/bid/12781 ------- Additional Comments From pekkas 2005-03-18 09:21:12 ---- It is not clear whether these affect 3.23.5x series, which are the only ones we're shipping. Only those with 4.x.x have released updates. We'll see.. ------- Bug moved to this database by dkl 2005-03-30 18:32 ------- This bug previously known as bug 2457 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2457 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Must remember to include fix for bug 152531
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated mysql packages to QA. Changelog: * Wed Apr 13 2005 Marc Deslauriers <marcdeslauriers> 3.23.58-4.4.legacy - - Backpatch repair for CAN-2005-0709, CAN-2005-0710, CAN-2005-0711 - - Fix init script to not need a valid username for startup check - - Don't assume /etc/my.cnf will specify pid-file - - add sleep to mysql.init restart(); 7.3: acf1197f83afc62663ce859fa6537890a7041f2a mysql-3.23.58-1.73.6.legacy.i386.rpm b306c6364d8a4e2233f86babf095a0c06bf8b4a8 mysql-3.23.58-1.73.6.legacy.src.rpm bd7311def0d413335218fcaf405ed1184091c572 mysql-devel-3.23.58-1.73.6.legacy.i386.rpm de55232735b74f822bba37271bfc568cbfee4128 mysql-server-3.23.58-1.73.6.legacy.i386.rpm 9: 15269c3a6cf8d83a153dc471d79eb0aa43550faf mysql-3.23.58-1.90.6.legacy.i386.rpm 5c6999fed7f26ffe64b6312553b21effd02f98d8 mysql-3.23.58-1.90.6.legacy.src.rpm 9b8dea4bf3b714763b60d017d53d37ea943b910c mysql-devel-3.23.58-1.90.6.legacy.i386.rpm 1783060cb1880b9eb5c62ca8db0a110c9a4d21d8 mysql-server-3.23.58-1.90.6.legacy.i386.rpm 1: 172df111c6c0a5bcca47c49124c81ee9c6de552f mysql-3.23.58-4.4.legacy.i386.rpm 31e458b885c5a3b984871ed0706ace39c36553b6 mysql-3.23.58-4.4.legacy.src.rpm fddc5af88a99c370302b70d376342f0a63280d43 mysql-bench-3.23.58-4.4.legacy.i386.rpm a2e0848519566468a9341b05095f6e9b6b7c88be mysql-devel-3.23.58-4.4.legacy.i386.rpm 112ea43637d503520aefe13b51e6a907953b2def mysql-server-3.23.58-4.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.6.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-3.23.58-1.73.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-devel-3.23.58-1.73.6.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mysql-server-3.23.58-1.73.6.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.6.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-3.23.58-1.90.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-devel-3.23.58-1.90.6.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mysql-server-3.23.58-1.90.6.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-3.23.58-4.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-bench-3.23.58-4.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-devel-3.23.58-4.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mysql-server-3.23.58-4.4.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCXmC5LMAs/0C4zNoRAutUAJ0TP4Kes2OmOVGvNERIWF6SEI5fmACgwjl6 R4H4Hd7rFwDbWGVab4bDWoM= =wd8i -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - init script changes identical to those in RHEL3 - spec file changes minimal - the patches are identical to RHEL3, with ome difference: with our patch, one variable is initalized to zero, RHEL3 doesn't do this. Shouldn't be an issue. +PUBLISH RHL73,RHL9,FC1 b306c6364d8a4e2233f86babf095a0c06bf8b4a8 mysql-3.23.58-1.73.6.legacy.src.rpm 5c6999fed7f26ffe64b6312553b21effd02f98d8 mysql-3.23.58-1.90.6.legacy.src.rpm 31e458b885c5a3b984871ed0706ace39c36553b6 mysql-3.23.58-4.4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCYTGYGHbTkzxSL7QRAqxJAKCAqy0btCYPV9AwozBbm29iuJN7iwCgmcb7 RxI2Hwffv5J3vp9NdMfOzkk= =yI9p -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73. Installed all the mysql packages. Mysql restarted fine, and horde/imp, using mysql as a backend also worked OK. Seems to be working fine.. +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCd1CdGHbTkzxSL7QRAgeyAJ9ps7nH/90oXg+B1cE1+UqYq710LACgjSB8 swipcV5ozbgdTvTIsGXu/xk= =UcFK -----END PGP SIGNATURE-----
1 verify, timeout in 4 weeks.
Timeout over.
Packages were released to updates.