Sec taktyka czyli FWD: [RHSA-2003:093-01] Updated MySQL packages fix vulnerabilities

Tomasz Kłoczko kloczek w rudy.mif.pg.gda.pl
Wto, 29 Kwi 2003, 21:57:13 CEST 

Jak widać już nie tylko my stosujemy taktykę w aktualizachjach klasy
security, że jeżeli nowa wersja pakietu zawiera poprawkę to nie koniecznie
odseparowana sec poprawkę backportuje się do wersji jak wyszła w danej
wersji dystrybucji. To tak jakby ktoś miał jeszcze wątpliwości czy
rzeczywiście to co próbujemy robić ma ręce i nogi czy nie.

On Tue, 29 Apr 2003 redhat-announce-list-admin w redhat.com wrote:
[..]
> 3. Problem description:
> 
> MySQL is a multi-user, multi-threaded SQL database server.
> 
> A double-free vulnerability in mysqld, for MySQL before version 3.23.55,
> allows attackers with MySQL access to cause a denial of service (crash) by
> creating a carefully crafted client application. The Common
> Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
> CAN-2003-0073 to this issue.
> 
> MySQL 3.23.55 and earlier creates world-writable files and allows mysql
> users to gain root privileges by using the "SELECT * INFO OUTFILE" operator
> to overwrite a configuration file and cause mysql to run as root upon
> restart. The Common Vulnerabilities and Exposures project (cve.mitre.org)
> has assigned the name CAN-2003-0150 to this issue.
> 
> All users are advised to upgrade to MySQL 3.23.56 contained within this
> errata which is not vulnerable to these issues.
> 
[..]
> 7. Verification:
> 
> MD5 sum                          Package Name
> --------------------------------------------------------------------------
> e7487478940f7fb152bd94dce219a99b 7.1/en/os/SRPMS/mysql-3.23.56-1.71.src.rpm
> 7f913c1ef0ad361fba8938270a93c474 7.1/en/os/i386/mysql-3.23.56-1.71.i386.rpm
> 31f5618bb189b0520083210bbc19cdfb 7.1/en/os/i386/mysql-devel-3.23.56-1.71.i386.rpm
> 9b1ba658cf7695f7fb626581ad3e700f 7.1/en/os/i386/mysql-server-3.23.56-1.71.i386.rpm
> 54f783324c224840fe7ea702fe628ec2 7.2/en/os/SRPMS/mysql-3.23.56-1.72.src.rpm
> d1efdb7796e0444302ee3f426ca06c85 7.2/en/os/i386/mysql-3.23.56-1.72.i386.rpm
> 9b77319f6ecc7e5431efc99e7a291334 7.2/en/os/i386/mysql-devel-3.23.56-1.72.i386.rpm
> ef3c7d3e1bfe3b835ee07b8d2eda7e21 7.2/en/os/i386/mysql-server-3.23.56-1.72.i386.rpm
> fcdac19a133fcf7feb34e06877ed1242 7.2/en/os/ia64/mysql-3.23.56-1.72.ia64.rpm
> 6d5ed02bee3fe571275b5053cebc6c94 7.2/en/os/ia64/mysql-devel-3.23.56-1.72.ia64.rpm
> 19737a4c7f39bd37fbd73d0388d2c847 7.2/en/os/ia64/mysql-server-3.23.56-1.72.ia64.rpm
> ab0e0b34299f786e032e0aa885c046d0 7.3/en/os/SRPMS/mysql-3.23.56-1.73.src.rpm
> 7024c33fbdd861d28733d549d29e5d12 7.3/en/os/i386/mysql-3.23.56-1.73.i386.rpm
> 2d9a1b8f6dcc9d336071ec5b889404a6 7.3/en/os/i386/mysql-devel-3.23.56-1.73.i386.rpm
> fb5615fe718df6410a3382d892a56b4c 7.3/en/os/i386/mysql-server-3.23.56-1.73.i386.rpm
> 345bdf55ad90f9d00e771e464c4830c7 8.0/en/os/SRPMS/mysql-3.23.56-1.80.src.rpm
> 9b339a91222cdbb941c1cbf0d107f10a 8.0/en/os/i386/mysql-3.23.56-1.80.i386.rpm
> 618b4be6bf5744c9cb44c2f008bc2e76 8.0/en/os/i386/mysql-devel-3.23.56-1.80.i386.rpm
> 3e0f97fd1a0c1472869b5c390c775163 8.0/en/os/i386/mysql-server-3.23.56-1.80.i386.rpm

kloczek
-- 
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek w rudy.mif.pg.gda.pl*

Więcej informacji o liście dyskusyjnej pld-devel-pl