Debians sikkerhedsbulletin

DSA-647-1 mysql -- usiker midlertidige filer

Rapporteret den:

19. jan 2005

Berørte pakker:

mysql

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2005-0004.

Yderligere oplysninger:

Javier Fernandez-Sanguino Peña fra Debians sikkerhedsauditprojekt har opdaget en midlertidig fil-sårbarhed i skriptet mysqlaccess i MySQL. Sårbarheden kunne gøre det muligt for en upriviligeret bruger at lade root overskrive vilkårlige filer via et symlink-angreb, og indholdet af en midlertidig fil, der kunne indeholde følsomme oplysninger, kunne også afsløres.

I den stabile distribution (woody) er dette problem rettet i version 3.23.49-8.9.

I den ustabile distribution (sid) er dette problem rettet i version 4.0.23-3 af mysql-dfsg og i version 4.1.8a-6 af mysql-dfsg-4.1.

Vi anbefaler at du opgraderer dine mysql-pakker.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:: http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.9.dsc; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49-8.9.diff.gz; http://security.debian.org/pool/updates/main/m/mysql/mysql_3.23.49.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/m/mysql/mysql-common_3.23.49-8.9_all.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.23.49-8.5_all.deb
Alpha:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_alpha.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_arm.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_i386.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_ia64.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_hppa.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_m68k.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_mips.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_mipsel.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_powerpc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_s390.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10_3.23.49-8.9_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/libmysqlclient10-dev_3.23.49-8.9_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.23.49-8.9_sparc.deb; http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.23.49-8.9_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.