Your message dated Wed, 16 Aug 2006 15:47:34 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#380271: fixed in mysql-dfsg-5.0 5.0.24-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mysql-server-4.1
Version: 4.1.11a-4sarge5
Severity: grave
Tags: security patch
Hello
MySQL today announced a new upstream version for mysql-server-4.1 that
fixes a security problem:
Security fix: If a user has access to MyISAM table t, that user can
create a MERGE table m that accesses t. However, if the user's
privileges on t are subsequently revoked, the user can continue to
access t by doing so through m. If this behavior is undesirable, you
can start the server with the new --skip-merge option to disable the
MERGE storage engine.
http://bugs.mysql.com/bug.php?id=15195
The bug affects
3.23 woody
4.0 sarge
4.1 sarge
5.0 unstable
although in 3.23 and 4.0 it's even more unlikely as merge tables
couldn't even span databases i.e. table based rights would have to be
revoked.
Does this justify a DSA? If so, can you register a CVE id?
bye,
-christian-
--- End Message ---
--- Begin Message ---
Source: mysql-dfsg-5.0
Source-Version: 5.0.24-1
We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:
libmysqlclient15-dev_5.0.24-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.24-1_amd64.deb
libmysqlclient15off_5.0.24-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.24-1_amd64.deb
mysql-client-5.0_5.0.24-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.24-1_amd64.deb
mysql-client_5.0.24-1_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.24-1_all.deb
mysql-common_5.0.24-1_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.24-1_all.deb
mysql-dfsg-5.0_5.0.24-1.diff.gz
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.24-1.diff.gz
mysql-dfsg-5.0_5.0.24-1.dsc
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.24-1.dsc
mysql-dfsg-5.0_5.0.24.orig.tar.gz
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.24.orig.tar.gz
mysql-server-5.0_5.0.24-1_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.24-1_amd64.deb
mysql-server_5.0.24-1_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.24-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-5.0
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 8 Aug 2006 00:44:13 +0200
Source: mysql-dfsg-5.0
Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server
mysql-server-5.0 mysql-common libmysqlclient15off
Architecture: source all amd64
Version: 5.0.24-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <[EMAIL PROTECTED]>
Changed-By: Christian Hammers <[EMAIL PROTECTED]>
Description:
libmysqlclient15-dev - mysql database development files
libmysqlclient15off - mysql database client library
mysql-client - mysql database client (current version)
mysql-client-5.0 - mysql database client binaries
mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
mysql-server - mysql database server (current version)
mysql-server-5.0 - mysql database server binaries
Closes: 377651 380271
Changes:
mysql-dfsg-5.0 (5.0.24-1) unstable; urgency=high
.
* SECURITY: Upstream fixes a security bug which allows a user to continue
accessing a table using a MERGE TABLE after the right to direct access to
the database has been revoked (CVE-2006-4031, MySQL bug #15195).
(Well they did not exactly fixed it, they documented the behaviour and
allow the admin to disable merge table alltogether...). Closes: #380271
* SECURITY: Applied patch that fixes a possibly insecure filehandling
in the recently added mysql_upgrade binary file (MySQL bug #10320).
* New upstream version.
- Fixes nasty MySQL bug #19618 that leads to crashes when using
"SELECT ... WHERE ... not in (1, -1)" (e.g. vbulletin was affected).
- Fixes upstream bug #16803 so that linking ~/.mysql_history to /dev/null
now has the desired effect of having no history.
* Really fixed the runlevels. Closes: #377651
* Added patch for broken upstream handling of "host=" to mysql_upgrade.c.
* Adjusted /etc/mysql/debian-start to new mysql_upgrade.c
Files:
95f0d2b8678a504b5beb5c369fdf92fa 1090 misc optional mysql-dfsg-5.0_5.0.24-1.dsc
b802dcf7752e18939b03e6dfc4a0685d 18663830 misc optional
mysql-dfsg-5.0_5.0.24.orig.tar.gz
1c23a8703f94bc375aa8bccccda56d85 117756 misc optional
mysql-dfsg-5.0_5.0.24-1.diff.gz
dd0a99e5a0318abf031c8c8b6adca02e 39836 misc optional
mysql-common_5.0.24-1_all.deb
b76d46821252bafba29ee03dc02a3599 37346 misc optional
mysql-server_5.0.24-1_all.deb
2714e3fa42dfdafc5afa191cc00c1780 37338 misc optional
mysql-client_5.0.24-1_all.deb
bf3f7c2c9dac385066f455d787cd2fa2 1806588 libs optional
libmysqlclient15off_5.0.24-1_amd64.deb
136ccae3e5bf34869a307b2592bb840d 7263390 libdevel optional
libmysqlclient15-dev_5.0.24-1_amd64.deb
a2ee0c3e1cdc248a6578bd2f880b3bc5 7380518 misc optional
mysql-client-5.0_5.0.24-1_amd64.deb
187c088982133814d1aa2f538be2d21f 22524402 misc optional
mysql-server-5.0_5.0.24-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iEYEARECAAYFAkTjmwMACgkQkR9K5oahGOYJNACg8hDWiG4JBYbaRJvddM3w1nfR
VkoAoNiJyj0fOJZsoBZBJRKvqBl1Dj1e
=50dE
-----END PGP SIGNATURE-----
--- End Message ---
