Package: mysql-dfsg Version: 4.0.23-10 Severity: grave Tags: security Stefano Di Paola discovered that it's possible to use a library located in an arbitrary directory, if an authenticated user has INSERT and DELETE privileges on the 'mysql' administrative database.
There does not seem to be a CVE assignment yet. The full advisory can be found at: http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0083.html The advisory claims that MySQL has released a fix, and new upstream releases (4.0.24 and 4.1.10a), which haven't appeared on mysql.com yet. Cheers, Moritz -- System Information: Debian Release: 3.0 Architecture: i386 Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
