Hello Security-Team! There are two new security bugs in MySQL of which one affects Sarge:
On 2006-08-26 Stefan Fritsch wrote: > Package: mysql-server > Severity: important > Tags: security > > Two vulnerabilities have been reported in MySQL: > > CVE-2006-4226: > MySQL before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when > run on case-sensitive filesystems, allows remote authenticated users > to create or access a database when the database name differs only in > case from a database for which they have permissions. For 4.0 I could *not* verify the bug being present and the affected class constructor hash_filo() in sql/sql_acl.cc / sql/hash_filo.h does not know about charsets, which were introduced as feature into 4.1, which makes this explainable. This is contrary to the CVE list of affected versions. (mysql did not list 4.0 either but they don't care much about the old 3.23/4.0) For 4.1 I've uploaded 4.1.11a-sarge6 to stable-proposed-updates some days ago as it contained but that might lead to a server crash on specially crafted SQL statements. As this could be seen as a potential DoS attack, too, I ask for permission to leave the patch in 4.1.11a-sarge7. If you object I rebuild sarge7 with that patch removed and upload sarge8 with it once the DSA has been released. > CVE-2006-4227: > MySQL before 5.0.25 and 5.1 before 5.1.12 evaluates arguments of > suid routines in the security context of the routine's definer instead of > the routine's caller, which allows remote authenticated users to gain > privileges through a routine that has been made available using GRANT > EXECUTE. > > Please mention the CVE-ids in the changelog. The CVE-2006-4227 does only affect MySQL-5.0 in testing/unstable as prior versions were not capable of user created SQL functions. I've uploaded fixed packages along with the "diffstat.txt" output to http://www.lathspell.de/linux/debian/mysql/sarge-4.1/ In case you want to verified the fixes, there are automated test cases included in the patch and smaller ones described in the bugs.mysql.com entries (CVE entries link to it). I already verified them before and after applying the patches. If there's anything more I can do to help you with a DSA, just let me know. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
