[Fedora] Schwachstelle in mysql – FEDORA-2010-11126

[Fedora] Schwachstelle in mysql - FEDORA-2010-11126

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2010-2008 – Schwachstelle in MySQL

MySQL enthaelt eine Schwachstelle, die zu einem Absturz oder dem
Verlust der Datenbank fuehren kann. Ursache dieser Schwachstelle ist
ein Fehler bei der Validierung spezieller ‘ALTER DATABASE’-Statements,
welches bestimmte Stringfolgen und ein ‘UPGRADE DATA DIRECTORY
NAME’-Kommando enthalten. Ein Angreifer mit ausreichenden
Zugriffsrechten auf die Datenbank kann diese Schwachstelle fuer Denial
of Service Angriffe ausnutzen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket mysql

Fedora 12

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– ——————————————————————————–
Fedora Update Notification
FEDORA-2010-11126
2010-07-15 20:43:16
– ——————————————————————————–

Name : mysql
Product : Fedora 12
Version : 5.1.47
Release : 2.fc12
URL : http://www.mysql.com
Summary : MySQL client programs and shared libraries
Description :
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries. The base package
contains the standard MySQL client programs and generic MySQL files.

– ——————————————————————————–
Update Information:

Add backported patch for CVE-2010-2008
– ——————————————————————————–
ChangeLog:

* Wed Jul 14 2010 Tom Lane <tgl@redhat.com> 5.1.47-2
– – Add backported patch for CVE-2010-2008 (upstream bug 53804)
Related: #614214
* Mon May 24 2010 Tom Lane <tgl@redhat.com> 5.1.47-1
– – Update to MySQL 5.1.47, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
including fixes for CVE-2010-1848, CVE-2010-1849, CVE-2010-1850
Resolves: #592862
Resolves: #583717
* Sat Apr 24 2010 Tom Lane <tgl@redhat.com> 5.1.46-1
– – Update to MySQL 5.1.46, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-46.html
* Thu Mar 25 2010 Tom Lane <tgl@redhat.com> 5.1.45-2
– – Fix multiple problems described in upstream bug 52019, because regression
tests fail on PPC if we don’t.
* Wed Mar 24 2010 Tom Lane <tgl@redhat.com> 5.1.45-1
– – Update to MySQL 5.1.45, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-45.html
* Sat Feb 20 2010 Tom Lane <tgl@redhat.com> 5.1.44-1
– – Update to MySQL 5.1.44, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-44.html
– – Remove mysql.info, which is not freely redistributable
Resolves: #560181
– – Revert broken upstream fix for their bug 45058
Resolves: #566547
* Fri Feb 12 2010 Tom Lane <tgl@redhat.com> 5.1.43-1
– – Update to MySQL 5.1.43, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html
* Fri Jan 29 2010 Tom Lane <tgl@redhat.com> 5.1.42-7
– – Add backported patch for CVE-2008-7247 (upstream bug 39277)
Related: #543619
– – Use non-expired certificates for SSL testing (upstream bug 50702)
– – Emit explicit error message if user tries to build RPM as root
Related: #558915
– – Correct Source0: tag and comment to reflect how to get the tarball
– – Add comment suggesting disabling symbolic links in /etc/my.cnf
Related: #553652
– – Change %define to %global, per packaging guidelines
* Sat Jan 2 2010 Tom Lane <tgl@redhat.com> 5.1.42-2
– – Disable building the innodb plugin; it tickles assorted gcc bugs and
doesn’t seem entirely ready for prime time anyway.
* Fri Jan 1 2010 Tom Lane <tgl@redhat.com> 5.1.42-1
– – Update to MySQL 5.1.42, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-42.html
– – Start mysqld_safe with –basedir=/usr, to avoid unwanted SELinux messages
Resolves: #547485
* Thu Dec 17 2009 Tom Lane <tgl@redhat.com> 5.1.41-2
– – Update to MySQL 5.1.41, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
including fixes for CVE-2009-4019
Related: #540906
– – Stop waiting during “service mysqld start” if mysqld_safe exits
Resolves: #544095
* Tue Nov 10 2009 Tom Lane <tgl@redhat.com> 5.1.40-1
– – Update to MySQL 5.1.40, for various fixes described at
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-40.html
– – Do not force the –log-error setting in mysqld init script
Resolves: #533736
– ——————————————————————————–
References:

[ 1 ] Bug #614214 – CVE-2010-2008 mysql: remote authenticated DoS via ALTER DATABASE
https://bugzilla.redhat.com/show_bug.cgi?id=614214
– ——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update mysql’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkxX2Q4ACgkQWmhIvjFb90XWMwCff0S5jy/pF55SetuNgfElXSKI
Y7gAnitnAESI04Z5RzKEsvbgddms/HmE
=Sqwh
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben