[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1662-1] New mysql-dfsg-5.0 packages fix authorization bypass

Devin Carraway <devin@debian.org> wrote:
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1662-1 security@debian.org
http://www.debian.org/security/ Devin Carraway
November 06, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : mysql-dfsg-5.0
Vulnerability : authorization bypass
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-4098
Debian Bug : 480292

A symlink traversal vulnerability was discovered in MySQL, a
relational database server. The weakness could permit an attacker
having both CREATE TABLE access to a database and the ability to
execute shell commands on the database server to bypass MySQL access
controls, enabling them to write to tables in databases to which they
would not ordinarily have access.

The Common Vulnerabilities and Exposures project identifies this
vulnerability as CVE-2008-4098. Note that a closely aligned issue,
identified as CVE-2008-4097, was prevented by the update announced in
DSA-1608-1. This new update supercedes that fix and mitigates both
potential attack vectors.

For the stable distribution (etch), this problem has been fixed in
version 5.0.32-7etch8.

We recommend that you upgrade your mysql packages.

I find a fix for this bug in mysql-dfsg-5.0_5.0.32-7etch6 pachage, before  9 July 08

Reply to: