LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Low: mysql security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated MySQL packages for the Red Hat Application Stack comprising the v1.1 release are now available. This update also resolves some minor security issues rated as having low security impact by the Red Hat Security Response Team.
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Low: mysql security update
Advisory ID:       RHSA-2007:0083-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0083.html
Issue date:        2007-02-19
Updated on:        2007-02-19
Product:           Red Hat Application Stack
CVE Names:         CVE-2006-0903 CVE-2006-3081 CVE-2006-4031 
                   CVE-2006-4226 CVE-2006-4227 
- ---------------------------------------------------------------------

1. Summary:

Updated MySQL packages for the Red Hat Application Stack comprising the v1.1
release are now available.

This update also resolves some minor security issues rated as having low
security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64

3. Problem description:

Several minor security issues were found in MySQL:

MySQL allowed remote authenticated users to create or access a database
when the database name differed only in case from a database for which they
had permissions. (CVE-2006-4226)

MySQL evaluated arguments in the wrong security context which allowed
remote authenticated users to gain privileges through a routine that had
been made available using GRANT EXECUTE.  (CVE-2006-4227)

MySQL allowed a local user to access a table through a previously created
MERGE table, even after the user's privileges were revoked for the original
table, which might violate intended security policy.  (CVE-2006-4031)

MySQL allowed authenticated users to cause a denial of service (crash) via
a NULL second argument to the str_to_date function.  (CVE-2006-3081)

MySQL allowed local authenticated users to bypass logging mechanisms via
SQL queries that contain the NULL character, which were not properly
handled by the mysql_real_query function.  (CVE-2006-0903)

Users of MySQL should upgrade to these updated packages, which resolve
these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

228999 - CVE-2006-0903 Multiple minor MySQL issues (CVE-2006-3081 CVE-2006-4031 CVE-2006-4226 CVE-2006-4227)

6. RPMs required:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4):

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/mysql-5.0.30-1.el4s1.1.src.rpm
b1286f8ed419eec951f02a0f17cdc5b6  mysql-5.0.30-1.el4s1.1.src.rpm

i386:
c1bd8eae792b620677100762b2659dac  mysql-5.0.30-1.el4s1.1.i386.rpm
4a9671ac9a96e68d48a3c9aaf24e607d  mysql-bench-5.0.30-1.el4s1.1.i386.rpm
13ead71f722b74d0ab6a99b2f5becc11  mysql-debuginfo-5.0.30-1.el4s1.1.i386.rpm
81fc452e5a6849a88b6db218a5c92dc7  mysql-devel-5.0.30-1.el4s1.1.i386.rpm
af5162d98ff053a9e641c4284874a675  mysql-server-5.0.30-1.el4s1.1.i386.rpm
440229a542bf959f05cd22aa469948bb  mysql-test-5.0.30-1.el4s1.1.i386.rpm

x86_64:
c1bd8eae792b620677100762b2659dac  mysql-5.0.30-1.el4s1.1.i386.rpm
913c86ac256fe0e54c866dab843d3ef3  mysql-5.0.30-1.el4s1.1.x86_64.rpm
d27530b3c3ebe17fbac831d2ba6997af  mysql-bench-5.0.30-1.el4s1.1.x86_64.rpm
13ead71f722b74d0ab6a99b2f5becc11  mysql-debuginfo-5.0.30-1.el4s1.1.i386.rpm
4524fc0f9b297224643d5f47ec72355f  mysql-debuginfo-5.0.30-1.el4s1.1.x86_64.rpm
7e72f397613fe1b20503be9bfc68f3f4  mysql-devel-5.0.30-1.el4s1.1.x86_64.rpm
5f648be2383cd82412257c8644acd0db  mysql-server-5.0.30-1.el4s1.1.x86_64.rpm
b5a605586daaaee0e9b8855d8d96c7cc  mysql-test-5.0.30-1.el4s1.1.x86_64.rpm

Red Hat Application Stack v1 for Enterprise Linux ES (v.4):

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/mysql-5.0.30-1.el4s1.1.src.rpm
b1286f8ed419eec951f02a0f17cdc5b6  mysql-5.0.30-1.el4s1.1.src.rpm

i386:
c1bd8eae792b620677100762b2659dac  mysql-5.0.30-1.el4s1.1.i386.rpm
4a9671ac9a96e68d48a3c9aaf24e607d  mysql-bench-5.0.30-1.el4s1.1.i386.rpm
13ead71f722b74d0ab6a99b2f5becc11  mysql-debuginfo-5.0.30-1.el4s1.1.i386.rpm
81fc452e5a6849a88b6db218a5c92dc7  mysql-devel-5.0.30-1.el4s1.1.i386.rpm
af5162d98ff053a9e641c4284874a675  mysql-server-5.0.30-1.el4s1.1.i386.rpm
440229a542bf959f05cd22aa469948bb  mysql-test-5.0.30-1.el4s1.1.i386.rpm

x86_64:
c1bd8eae792b620677100762b2659dac  mysql-5.0.30-1.el4s1.1.i386.rpm
913c86ac256fe0e54c866dab843d3ef3  mysql-5.0.30-1.el4s1.1.x86_64.rpm
d27530b3c3ebe17fbac831d2ba6997af  mysql-bench-5.0.30-1.el4s1.1.x86_64.rpm
13ead71f722b74d0ab6a99b2f5becc11  mysql-debuginfo-5.0.30-1.el4s1.1.i386.rpm
4524fc0f9b297224643d5f47ec72355f  mysql-debuginfo-5.0.30-1.el4s1.1.x86_64.rpm
7e72f397613fe1b20503be9bfc68f3f4  mysql-devel-5.0.30-1.el4s1.1.x86_64.rpm
5f648be2383cd82412257c8644acd0db  mysql-server-5.0.30-1.el4s1.1.x86_64.rpm
b5a605586daaaee0e9b8855d8d96c7cc  mysql-test-5.0.30-1.el4s1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4227
http://www.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System
Internet of things big security worry, says HP
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Insecure Connections: Enterprises hacked after neglecting third-party risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.