86882 2002-12-17  18:31  /123 rader/  <secure@conectiva.com.br>
Importerad: 2002-12-17  18:31  av Brevbäraren
Extern mottagare: conectiva-updates@papaleguas.conectiva.com.br
Extern mottagare: lwn@lwn.net
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: security-alerts@linuxsecurity.com
Extern mottagare: linsec@lists.seifried.org
Mottagare: Bugtraq (import) <2782>
Ärende: [CLA-2002:555] Conectiva Linux Security Announcement - MySQL
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : MySQL
SUMMARY   : Several Vulnerabilities
DATE      : 2002-12-17 11:51:00
ID        : CLA-2002:555
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
 MySQL is a very popular SQL database, distributed under the GNU-GPL
 license.
 
 Stefan Esser from e-matters[1] discovered several vulnerabilities in
 the MySQL code that affect both the server and the client library
 (libmysql) of MySQL.
 
 The server vulnerabilities can be exploited to crash the MySQL
 server, bypass password restrictions or even execute arbitrary code
 with the privileges of the user running the server process.
 
 The library ones consist in an arbitrary size heap overflow and a 
 memory addressing problem that can be both exploited to crash or
 execute arbitrary code in programs linked against libmysql.
 
 More details about each vulnerability can be found in the e-matters
 security advisory[2].
 
 The Common Vulnerabilities and Exposures project (cve.mitre.org) is
 tracking these issues with the names CAN-2002-1373, CAN-2002-1374,
 CAN-2002-1375 and CAN-2002-1376.


SOLUTION
 We recommend that all MySQL users upgrade their packages as soon as
 possible.
 
 IMPORTANT: after the upgrade the mysql service must be restarted
 manually. In order to do that, run the following command as root:
 
 # /sbin/service mysql restart
 
 It is also recomended to restart all programs linked against
 libmysql. A list of such programs in execution can be obtained with
 the following command:
 
 # /usr/sbin/lsof | grep libmysql
 
 
 REFERENCES:
 1.http://www.e-matters.de/
 2.http://security.e-matters.de/advisories/042002.html
 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1373
 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1374
 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1375
 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1376


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-doc-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.36-14U60_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-bench-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-client-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-static-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-doc-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/MySQL-3.23.36-14U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-bench-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-client-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-static-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-doc-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/MySQL-3.23.46-4U80_2cl.src.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
 can be found at
 http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9/y0Q42jd0JmAcZARAs4oAJ9O1YoOF+jGa/4+NJuxpYKv1/XbxgCg4GKM
vJh9sl4q6/8ZALEwWsmMKbU=
=OzUs
-----END PGP SIGNATURE-----
(86882) / <secure@conectiva.com.br>/------(Ombruten)