From joey@infodrom.org Wed Aug 24 03:09:18 2005 From: Martin Schulze Resent-From: list@murphy.debian.org (Mailing List Manager) To: Debian Security Announcements Date: Wed, 24 Aug 2005 08:53:37 +0200 (CEST) Reply-To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [SECURITY] [DSA 783-1] New mysql packages fix insecure temporary file -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 783-1 security@debian.org http://www.debian.org/security/ Martin Schulze August 24th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mysql-dfsg-4.1 Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no CVE ID : CAN-2005-1636 BugTraq ID : 13660 Debian Bug : 319526 Eric Romang discovered a temporary file vulnerability in a script accompanied with MySQL, a popular database, that allows an attacker to execute arbitrary SQL commands when the server is installed or updated. The old stable distribution (woody) as well as mysql-dfsg are not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 4.1_4.1.11a-4sarge1. For the unstable distribution (sid) this problem has been fixed in version 4.1.12 for mysql-dfsg-4.1 and 5.0.11beta-3 of mysql-dfsg-5.0. We recommend that you upgrade your mysql packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge1.dsc Size/MD5 checksum: 1021 13739557cb2a080e28e4d8b8d3c74b3c http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge1.diff.gz Size/MD5 checksum: 162785 ebabe63abfbe2c9cf4a56fb9515d99dd http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3 Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge1_all.deb Size/MD5 checksum: 35642 abfc7caa37c13c6861ec88cf196ef1be Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_alpha.deb Size/MD5 checksum: 1589514 7ef6a2aaa7323251d2367fed743356a9 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_alpha.deb Size/MD5 checksum: 7963364 4bb4ee99603b3c0918f9ef4ae8284ae1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_alpha.deb Size/MD5 checksum: 999878 77f29c811d6515c8affffeec74c4bb7f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_alpha.deb Size/MD5 checksum: 17484624 1149856989da8e133f38c3d59d96b30c AMD64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_amd64.deb Size/MD5 checksum: 1450326 9f45715323978f3f7c7e40267aec2ea4 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_amd64.deb Size/MD5 checksum: 5548998 c6365b2f962fc2092e6466c7e2c4b125 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_amd64.deb Size/MD5 checksum: 848544 b2584efe95149b344eb3c6205da2368e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_amd64.deb Size/MD5 checksum: 14709540 1b1ca0bae85285d5b385495728f06af2 ARM architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_arm.deb Size/MD5 checksum: 1388076 0be4eec4f3929bf0b7964157fa76accc http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_arm.deb Size/MD5 checksum: 5557616 265a5c7293a18ea7f268bbbb4660f0fe http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_arm.deb Size/MD5 checksum: 835746 f8f6416e44435b01068176a1ac98de0f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_arm.deb Size/MD5 checksum: 14555588 f8922b999f0b2f620853f3239b049fc9 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_i386.deb Size/MD5 checksum: 1416468 a8d52b676ff4ff91d413ff9324450036 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_i386.deb Size/MD5 checksum: 5641628 2d20f8b3174a6a9a19121a5e498bd5c9 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_i386.deb Size/MD5 checksum: 829580 1a4df96b603f27f7c2b139c1dd055460 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_i386.deb Size/MD5 checksum: 14556398 fe1c3f25184baab2bb0095b32c77a797 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_ia64.deb Size/MD5 checksum: 1711768 fda64e2e04286a2fdd67d2e86a905fb0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_ia64.deb Size/MD5 checksum: 7780852 853e3a49046d46af94ceef13ebb51c29 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_ia64.deb Size/MD5 checksum: 1049644 b00ce1514972089cf719b85604808bde http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_ia64.deb Size/MD5 checksum: 18474664 85e75b5428af17ec8ef0629cf57c321e HP Precision architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_hppa.deb Size/MD5 checksum: 1550180 c5dd256372cd9627eb4dbd9582dce728 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_hppa.deb Size/MD5 checksum: 6249180 039c8b4f93c713e967d301fea234292e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_hppa.deb Size/MD5 checksum: 909078 94164738f1978a1eadedb4014c38097e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_hppa.deb Size/MD5 checksum: 15786540 bd9c9386dcacf37a1802160c21f87712 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_m68k.deb Size/MD5 checksum: 1396690 dfac1efd2c57ee8c1e5c8e3439e439bf http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_m68k.deb Size/MD5 checksum: 5282688 ed08875a118d9237d00f3e3011b1dac1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_m68k.deb Size/MD5 checksum: 802834 e5ab7837ea28d267bfe698fee03cbba6 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_m68k.deb Size/MD5 checksum: 14069986 f869a37931dfb86519458a9d48747f96 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_mips.deb Size/MD5 checksum: 1477766 fb7a8d1fb9d4607d7172c36032ebcbbb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_mips.deb Size/MD5 checksum: 6051760 6e97430bc9b02e866e04414e627f9f4c http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_mips.deb Size/MD5 checksum: 903542 f99636d7c17d9b9647c34d3dd3379c2d http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_mips.deb Size/MD5 checksum: 15407442 36eaf9d65e7c4dcaeff920389c6bd890 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_mipsel.deb Size/MD5 checksum: 1445230 a850a8ef0b9860fdea3530e9c20ca155 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_mipsel.deb Size/MD5 checksum: 5969356 4f65edebdd67451ff9f98d350d8de26f http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_mipsel.deb Size/MD5 checksum: 889146 f7f3a001055f08d94598a0829a76aaf2 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_mipsel.deb Size/MD5 checksum: 15103070 c204dcfe3af004201336df429d02972f PowerPC architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_powerpc.deb Size/MD5 checksum: 1475306 a9a981440a13e4da0f3f1eb28df8e178 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_powerpc.deb Size/MD5 checksum: 6024926 72553153e08c80d0d52a8abc5634c61b http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_powerpc.deb Size/MD5 checksum: 906294 6952b08aabe467261f3501fe9863d2cf http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_powerpc.deb Size/MD5 checksum: 15402300 a8052df1923122ec2fd18d5a3aa5c125 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_s390.deb Size/MD5 checksum: 1537478 d53485497a6fc99eb0186857fc799963 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_s390.deb Size/MD5 checksum: 5460684 2a11f9f50e74053a17679d59ffea44ad http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_s390.deb Size/MD5 checksum: 883270 61d8ef6a6d11ca03c84bf359a004e2e8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_s390.deb Size/MD5 checksum: 15053878 1a9066f65b02545819ab1fddec62ba71 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_sparc.deb Size/MD5 checksum: 1459386 b801d56ac5282e4316a11c7e231bbac0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_sparc.deb Size/MD5 checksum: 6205406 2cc5c4c174d61bf0f76b5fd9b75055f8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_sparc.deb Size/MD5 checksum: 867260 b8d31122c0c678cd73c1ae2dba158fb0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_sparc.deb Size/MD5 checksum: 15390174 f2ddbee863e67a62792dec779c3a9c2e These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDDBlxW5ql+IAeqTIRAk/rAKCVt2ll7jpAog/3K0Ctj/EOJJmABACbBFX/ AM1Kku5Kvd6FNi7X5D8BlRI= =DGTi -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/