Bulletin d'alerte Debian

DSA-303-1 mysql -- Usurpation de droits

Date du rapport:

15 mai 2003

Paquets concernés:

Vulnérabilité:

Oui

Références dans la base de données de sécurité:

Dans la base de données de suivi des bogues (chez SecurityFocus) : Identificateur BugTraq 7052.
Dans le dictionnaire CVE du Mitre : CVE-2003-0073, CVE-2003-0150.

Pour plus d'information:

CAN-2003-0073 : Le paquet mysql contient un bogue qui libère plus d'une fois de la mémoire allouée dynamiquement. Il pouvait être déclenché délibérément par un attaquant causant un plantage et par voie de conséquence un déni de service. Pour exploiter cette faille de sécurité, une combinaison valide d'un nom d'utilisateur et d'un mot de passe pour accéder au serveur MySQL est nécessaire.

CAN-2003-0150 : Le paquet mysql possède un bogue à cause duquel un utilisateur malveillant avec certaines permissions dans mysql, pouvait créer un fichier de configuration qui pourrait exécuter le serveur mysql en tant que root ou tout autre utilisateur plutôt que l'utilisateur mysql.

Pour la distribution stable (Woody), les deux problèmes ont été corrigés dans la version 3.23.49-8.4.

L'ancienne distribution stable (Potato) est affectée seulement par CAN-2003-0150 et ceci a été corrigé dans la version 3.22.32-6.4.

Pour la distribution instable (Sid), CAN-2003-0073 a été corrigé dans la version 4.0.12-2 et CAN-2003-0150 le sera bientôt.

Nous vous recommandons de mettre à jour votre paquet mysql.

Corrigé dans:

Debian GNU/Linux 3.0 (woody)

Source :: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.4.diff.gz; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
Composant indépendant de l'architecture :: http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.4_all.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.4_sparc.deb

Debian GNU/Linux 2.2 (potato)

Source :: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.4.diff.gz; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz
Composant indépendant de l'architecture :: http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_i386.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_m68k.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_powerpc.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.4_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.4_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.