Your message dated Thu, 31 Jan 2008 07:52:16 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#460873: fixed in mysql-dfsg-5.0 5.0.32-7etch5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mysql-dfsg-5.0
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mysql-dfsg-5.0.
CVE-2008-0227[0]:
| yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products,
| allows remote attackers to cause a denial of service (crash) via a
| Hello packet containing a large size value, which triggers a buffer
| over-read in the HASHwithTransform::Update function in hash.cpp.
CVE-2008-0226[0]:
| Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL
| and possibly other products, allow remote attackers to execute
| arbitrary code via (1) the ProcessOldClientHello function in
| handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0227
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpZHlToKkMhL.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mysql-dfsg-5.0
Source-Version: 5.0.32-7etch5
We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:
libmysqlclient15-dev_5.0.32-7etch5_i386.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_i386.deb
libmysqlclient15off_5.0.32-7etch5_i386.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_i386.deb
mysql-client-5.0_5.0.32-7etch5_i386.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_i386.deb
mysql-client_5.0.32-7etch5_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch5_all.deb
mysql-common_5.0.32-7etch5_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch5_all.deb
mysql-dfsg-5.0_5.0.32-7etch5.diff.gz
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch5.diff.gz
mysql-dfsg-5.0_5.0.32-7etch5.dsc
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch5.dsc
mysql-server-4.1_5.0.32-7etch5_i386.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_i386.deb
mysql-server-5.0_5.0.32-7etch5_i386.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_i386.deb
mysql-server_5.0.32-7etch5_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-5.0
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 24 Jan 2008 09:22:03 +0100
Source: mysql-dfsg-5.0
Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server
mysql-server-4.1 mysql-server-5.0 mysql-common libmysqlclient15off
Architecture: source all i386
Version: 5.0.32-7etch5
Distribution: stable-security
Urgency: high
Maintainer: Christian Hammers <[EMAIL PROTECTED]>
Changed-By: Norbert Tretkowski <[EMAIL PROTECTED]>
Description:
libmysqlclient15-dev - mysql database development files
libmysqlclient15off - mysql database client library
mysql-client - mysql database client (meta package depending on the latest
versi
mysql-client-5.0 - mysql database client binaries
mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
mysql-server - mysql database server (meta package depending on the latest
versi
mysql-server-4.1 - mysql database server (transitional package)
mysql-server-5.0 - mysql database server binaries
Closes: 460873
Changes:
mysql-dfsg-5.0 (5.0.32-7etch5) stable-security; urgency=high
.
* SECURITY:
Fix for CVE-2008-0226 and CVE-2008-0227: Three vulnerabilities in yaSSL
versions 1.7.5 and earlier were discovered that could lead to a server
crash or execution of unauthorized code. The exploit requires a server
with yaSSL enabled and TCP/IP connections enabled, but does not require
valid MySQL account credentials. The exploit does not apply to OpenSSL.
(closes: #460873)
Files:
7d6a184cf5bda53d18be88728a0635c4 1117 misc optional
mysql-dfsg-5.0_5.0.32-7etch5.dsc
05351b7ac0547d3666828c7eba89ee18 165895 misc optional
mysql-dfsg-5.0_5.0.32-7etch5.diff.gz
3a16dd0a2c795cf7e906c648844a9779 53944 misc optional
mysql-common_5.0.32-7etch5_all.deb
5c9311fc2072be8336424c648497303e 47716 misc optional
mysql-server_5.0.32-7etch5_all.deb
c2d87b9755088b3a67851dc4867a67f8 45636 misc optional
mysql-client_5.0.32-7etch5_all.deb
ab7cbdd14a9bff04066a865634ef1ce2 1793974 libs optional
libmysqlclient15off_5.0.32-7etch5_i386.deb
90aae8d289cb3df24009c65b1af3b12d 6971870 libdevel optional
libmysqlclient15-dev_5.0.32-7etch5_i386.deb
6082aa213539a361cced40044161d108 7189880 misc optional
mysql-client-5.0_5.0.32-7etch5_i386.deb
d615311235c5a9e6d85e7e77b4927d5d 25370152 misc optional
mysql-server-5.0_5.0.32-7etch5_i386.deb
1040540bc74e34b67d9606a4368162a7 47746 oldlibs extra
mysql-server-4.1_5.0.32-7etch5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHnHbnr/RnCw96jQERAhSwAJ43fBYhPItt+vD4lov37FtdUcglWACeID2w
FCW92CncsycUbT4D0nicN5g=
=lXOV
-----END PGP SIGNATURE-----
--- End Message ---
