`` 

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated MySQL packages fix various security issues
Advisory ID:       RHSA-2002:288-22
Issue date:        2003-01-15
Updated on:        2003-01-15
Product:           Red Hat Linux
Keywords:          
Cross references:  
Obsoletes:         RHSA-2001:003
CVE Names:         CAN-2002-1373 CAN-2002-1374 CAN-2002-1375 CAN-2002-1376
---------------------------------------------------------------------

1. Topic:

Updated MySQL packages are available for Red Hat Linux 7, 7.1, 7.2, 7.3,
and 8.0 which fix security vulnerabilities found in the MySQL server.

2. Relevant releases/architectures:

Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

MySQL is a multi-user, multi-threaded SQL database server. While auditing
MySQL, Stefan Esser found security vulnerabilities that can be used to
crash the server or allow MySQL users to gain privileges.

A signed integer vulnerability in the COM_TABLE_DUMP package for MySQL
3.x to 3.23.53a  allows remote attackers to cause a denial of service
(crash or hang) in mysqld by causing large negative integers to be provided
to a memcpy call.  (CAN-2002-1373)

The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a and 4.x to
4.0.5a allows a remote attacker to gain privileges via a brute force
attack using a one-character password, which causes MySQL to only compare
the provided password against the first character of the real
password. (CAN-2002-1374)

The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a and 4.x to
4.0.5a allows remote attackers to execute arbitrary code via a long
response.  (CAN-2002-1375)

The MySQL client library (libmysqlclient) in MySQL 3.x to 3.23.53a and 4.x
to 4.0.5a does not properly verify length fields for certain responses
in the read_rows or read_one_row routines, which allows a malicious server
to cause a denial of service and possibly execute arbitrary
code.  (CAN-2002-1376)

Red Hat Linux 7, 7.1, 7.2, 7.3, and 8.0 contain versions of MySQL that
are vulnerable to these issues. All users of MySQL are advised to upgrade
to the erratum packages containing MySQL 3.23.54a which is not vulnerable
to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed  (  for more info):

79606 - Several vulnerabilities within (lib)MySQL could allow (remote) compromise of client and/or server.

6. RPMs required:

Red Hat Linux 7.0:

SRPMS: 
  
 

i386: 
  
  
  
 

Red Hat Linux 7.1:

SRPMS: 
  
 

i386: 
  
  
  
 

Red Hat Linux 7.2:

SRPMS: 
  
 

i386: 
  
  
  
 

ia64: 
  
  
 

Red Hat Linux 7.3:

SRPMS: 
  
 

i386: 
  
  
  
 

Red Hat Linux 8.0:

SRPMS: 
 

i386: 
  
  
 



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
5dd77d69e22ed43e0ff28b29b8e44e92 7.0/en/os/SRPMS/mysql-3.23.54a-3.70.src.rpm
9c782173b553a1998d317c2477ed3247 7.0/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm
a06746956383b4f2d01728809225df64 7.0/en/os/i386/mysql-3.23.54a-3.70.i386.rpm
f122e1fb596b8f35621549123e177720 7.0/en/os/i386/mysql-devel-3.23.54a-3.70.i386.rpm
9b1c91cbd8b38f9964b06825e50931f9 7.0/en/os/i386/mysql-server-3.23.54a-3.70.i386.rpm
649000787148d19b8019919535845680 7.0/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm
e58fe98ddb3c8ac698ebc92ca8150b72 7.1/en/os/SRPMS/mysql-3.23.54a-3.71.src.rpm
9c782173b553a1998d317c2477ed3247 7.1/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm
240ec3da00638e7659af70c288aa04ba 7.1/en/os/i386/mysql-3.23.54a-3.71.i386.rpm
a0b0060873f65a62e8f9a3e15aed64b6 7.1/en/os/i386/mysql-devel-3.23.54a-3.71.i386.rpm
01e625385fc064f3440ffc4c2b78f4b8 7.1/en/os/i386/mysql-server-3.23.54a-3.71.i386.rpm
649000787148d19b8019919535845680 7.1/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm
d18c6f59453525e47fdcc1575a1e8093 7.2/en/os/SRPMS/mysql-3.23.54a-3.72.src.rpm
9c782173b553a1998d317c2477ed3247 7.2/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm
8e5c91af905cda89d589162004f758c3 7.2/en/os/i386/mysql-3.23.54a-3.72.i386.rpm
516a9e98cd4574ee187f5ea5c1b42716 7.2/en/os/i386/mysql-devel-3.23.54a-3.72.i386.rpm
7feb019bec0fce4f0e7a39b5f4df6de3 7.2/en/os/i386/mysql-server-3.23.54a-3.72.i386.rpm
649000787148d19b8019919535845680 7.2/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm
9587426ae471e596b8b3f90ef0b9ad3c 7.2/en/os/ia64/mysql-3.23.54a-3.72.ia64.rpm
7ffeed598fdc805f21f5adf3b01cc4eb 7.2/en/os/ia64/mysql-devel-3.23.54a-3.72.ia64.rpm
4e848cbb1ad6375638a55b20242df741 7.2/en/os/ia64/mysql-server-3.23.54a-3.72.ia64.rpm
57f593d5fb5e21cff6ce65f934fe9dca 7.3/en/os/SRPMS/mysql-3.23.54a-3.73.src.rpm
9c782173b553a1998d317c2477ed3247 7.3/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm
0b39e3e5ee05d1daedb9e2146df24aaa 7.3/en/os/i386/mysql-3.23.54a-3.73.i386.rpm
1dd4afbca391e33250b2727b623123c8 7.3/en/os/i386/mysql-devel-3.23.54a-3.73.i386.rpm
62ade60f13d7d53eb7a791249688cfdb 7.3/en/os/i386/mysql-server-3.23.54a-3.73.i386.rpm
649000787148d19b8019919535845680 7.3/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm
bbfa3dec0f70825e7f8277c85db2296a 8.0/en/os/SRPMS/mysql-3.23.54a-4.src.rpm
e6aa4bfefb78db997f40ccb8e8815fcc 8.0/en/os/i386/mysql-3.23.54a-4.i386.rpm
8340813723029e6bca15cebce9a59c6f 8.0/en/os/i386/mysql-devel-3.23.54a-4.i386.rpm
44c0dab242a5a26db0c139db6a371b02 8.0/en/os/i386/mysql-server-3.23.54a-4.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at  About

You can verify each package with the following command:
    
    rpm --checksig -v 

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum 


8. References:
 
 
CVE -CVE-2002-1373 
CVE -CVE-2002-1374 
CVE -CVE-2002-1375 
CVE -CVE-2002-1376
9. Contact:

The Red Hat security contact is <security@RedHat.com>.  More contact
details at  All Red Hat products

Copyright 2003 Red Hat, Inc.



_______________________________________________
Red Hat-watch-list mailing list
To unsubscribe, visit: https://listman.RedHat.com/mailman/listinfo/RedHat-watch-list
``

RedHat: mysql multiple vulnerabilities RHSA-2002:288-22

Updated MySQL packages are available for Red Hat Linux 7, 7.1, 7.2, 7.3, and 8.0 which fix security vulnerabilities found in the MySQL server.

Summary



Summary

MySQL is a multi-user, multi-threaded SQL database server. While auditingMySQL, Stefan Esser found security vulnerabilities that can be used tocrash the server or allow MySQL users to gain privileges.A signed integer vulnerability in the COM_TABLE_DUMP package for MySQL3.x to 3.23.53a allows remote attackers to cause a denial of service(crash or hang) in mysqld by causing large negative integers to be providedto a memcpy call. (CAN-2002-1373)The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a and 4.x to4.0.5a allows a remote attacker to gain privileges via a brute forceattack using a one-character password, which causes MySQL to only comparethe provided password against the first character of the realpassword. (CAN-2002-1374)The COM_CHANGE_USER command in MySQL 3.x to 3.23.53a and 4.x to4.0.5a allows remote attackers to execute arbitrary code via a longresponse. (CAN-2002-1375)The MySQL client library (libmysqlclient) in MySQL 3.x to 3.23.53a and 4.xto 4.0.5a does not properly verify length fields for certain responsesin the read_rows or read_one_row routines, which allows a malicious serverto cause a denial of service and possibly execute arbitrarycode. (CAN-2002-1376)Red Hat Linux 7, 7.1, 7.2, 7.3, and 8.0 contain versions of MySQL thatare vulnerable to these issues. All users of MySQL are advised to upgradeto the erratum packages containing MySQL 3.23.54a which is not vulnerableto these issues.


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
5. Bug IDs fixed ( for more info):
79606 - Several vulnerabilities within (lib)MySQL could allow (remote) compromise of client and/or server.
6. RPMs required:
Red Hat Linux 7.0:
SRPMS:


i386:




Red Hat Linux 7.1:
SRPMS:


i386:




Red Hat Linux 7.2:
SRPMS:


i386:




ia64:



Red Hat Linux 7.3:
SRPMS:


i386:




Red Hat Linux 8.0:
SRPMS:

i386:





7. Verification:
MD5 sum Package Name 5dd77d69e22ed43e0ff28b29b8e44e92 7.0/en/os/SRPMS/mysql-3.23.54a-3.70.src.rpm 9c782173b553a1998d317c2477ed3247 7.0/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm a06746956383b4f2d01728809225df64 7.0/en/os/i386/mysql-3.23.54a-3.70.i386.rpm f122e1fb596b8f35621549123e177720 7.0/en/os/i386/mysql-devel-3.23.54a-3.70.i386.rpm 9b1c91cbd8b38f9964b06825e50931f9 7.0/en/os/i386/mysql-server-3.23.54a-3.70.i386.rpm 649000787148d19b8019919535845680 7.0/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm e58fe98ddb3c8ac698ebc92ca8150b72 7.1/en/os/SRPMS/mysql-3.23.54a-3.71.src.rpm 9c782173b553a1998d317c2477ed3247 7.1/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm 240ec3da00638e7659af70c288aa04ba 7.1/en/os/i386/mysql-3.23.54a-3.71.i386.rpm a0b0060873f65a62e8f9a3e15aed64b6 7.1/en/os/i386/mysql-devel-3.23.54a-3.71.i386.rpm 01e625385fc064f3440ffc4c2b78f4b8 7.1/en/os/i386/mysql-server-3.23.54a-3.71.i386.rpm 649000787148d19b8019919535845680 7.1/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm d18c6f59453525e47fdcc1575a1e8093 7.2/en/os/SRPMS/mysql-3.23.54a-3.72.src.rpm 9c782173b553a1998d317c2477ed3247 7.2/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm 8e5c91af905cda89d589162004f758c3 7.2/en/os/i386/mysql-3.23.54a-3.72.i386.rpm 516a9e98cd4574ee187f5ea5c1b42716 7.2/en/os/i386/mysql-devel-3.23.54a-3.72.i386.rpm 7feb019bec0fce4f0e7a39b5f4df6de3 7.2/en/os/i386/mysql-server-3.23.54a-3.72.i386.rpm 649000787148d19b8019919535845680 7.2/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm 9587426ae471e596b8b3f90ef0b9ad3c 7.2/en/os/ia64/mysql-3.23.54a-3.72.ia64.rpm 7ffeed598fdc805f21f5adf3b01cc4eb 7.2/en/os/ia64/mysql-devel-3.23.54a-3.72.ia64.rpm 4e848cbb1ad6375638a55b20242df741 7.2/en/os/ia64/mysql-server-3.23.54a-3.72.ia64.rpm 57f593d5fb5e21cff6ce65f934fe9dca 7.3/en/os/SRPMS/mysql-3.23.54a-3.73.src.rpm 9c782173b553a1998d317c2477ed3247 7.3/en/os/SRPMS/mysqlclient9-3.23.22-8.src.rpm 0b39e3e5ee05d1daedb9e2146df24aaa 7.3/en/os/i386/mysql-3.23.54a-3.73.i386.rpm 1dd4afbca391e33250b2727b623123c8 7.3/en/os/i386/mysql-devel-3.23.54a-3.73.i386.rpm 62ade60f13d7d53eb7a791249688cfdb 7.3/en/os/i386/mysql-server-3.23.54a-3.73.i386.rpm 649000787148d19b8019919535845680 7.3/en/os/i386/mysqlclient9-3.23.22-8.i386.rpm bbfa3dec0f70825e7f8277c85db2296a 8.0/en/os/SRPMS/mysql-3.23.54a-4.src.rpm e6aa4bfefb78db997f40ccb8e8815fcc 8.0/en/os/i386/mysql-3.23.54a-4.i386.rpm 8340813723029e6bca15cebce9a59c6f 8.0/en/os/i386/mysql-devel-3.23.54a-4.i386.rpm 44c0dab242a5a26db0c139db6a371b02 8.0/en/os/i386/mysql-server-3.23.54a-4.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key is available at About
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:
md5sum

References

CVE -CVE-2002-1373 CVE -CVE-2002-1374 CVE -CVE-2002-1375 CVE -CVE-2002-1376

Package List


Severity
Advisory ID: RHSA-2002:288-22
Issued Date: : 2003-01-15
Updated on: 2003-01-15
Product: Red Hat Linux
Keywords:
Cross references:
Obsoletes: RHSA-2001:003
CVE Names: CAN-2002-1373 CAN-2002-1374 CAN-2002-1375 CAN-2002-1376

Topic


Topic

Updated MySQL packages are available for Red Hat Linux 7, 7.1, 7.2, 7.3,

and 8.0 which fix security vulnerabilities found in the MySQL server.


 

Relevant Releases Architectures

Red Hat Linux 7.0 - i386

Red Hat Linux 7.1 - i386

Red Hat Linux 7.2 - i386, ia64

Red Hat Linux 7.3 - i386

Red Hat Linux 8.0 - i386


Bugs Fixed


Related News

13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved