Hello On 2006-06-15 Moritz Muehlenhoff wrote: > Christian Hammers wrote: > > Hey > > > > Long time no read :) But I guess the attached bug justifies a DSA, or? > > I verified that it really crashes the whole server and not only the > > one connection that is used (see below). The patch from 4.1 and 5.0 > > looks identical and very easy to backport (one line only). > > If the whole mysql server can be crashed a DSA is justified, yes. > > > Should I prepare packages? > > Please do.
I found out that 3.23 (woody) and 4.0 (sarge) are not vulnerable as the function str_to_date() was introduced in 4.1.1. Packages for 4.1 (sarge) can be found on http://www.lathspell.de/linux/debian/mysql/sarge-4.1/ The patch from the last DSA has been renamed from 64_SECURITY_CVE-2006-XXXX.dpatch to 64_SECURITY_CVE-2006-2753.dpatch, I hope you don't mind that this is in the .diff. > > AFAIK there's no CVE number assigned to this, can you register one? > > If an update is public through a place like Bugtraq CVE assignments are > done through MITRE, it'll probably trickle in very soon. We'll keep you > posted. The new CVE-Id should, once it is known, replace the XXXX in * the 65_SECURITY_CVE-2006-XXXX.dpatch filename * the comment in this file (2x) and * the debian/changelog file (1x) I verified that with this patch the function returns NULL and no longer crashs the server. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
