Gentoo Archives: gentoo-announce

From:	Daniel Ahlberg <aliz@g.o>
To:	gentoo-announce@g.o
Subject:	GLSA: mysql
Date:	Sun, 15 Dec 2002 12:29:03
Message-Id:	`20021215122538.F22EE33BA7@mail1.tamperd.net`

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - --------------------------------------------------------------------
5	GENTOO LINUX SECURITY ANNOUNCEMENT 200212-2
6	- - --------------------------------------------------------------------
7
8	PACKAGE : mysql
9	SUMMARY : remote DOS and arbitrary code execution
10	DATE : 2002-12-15 12:12 UTC
11	EXPLOIT : remote
12
13	- - --------------------------------------------------------------------
14
15	- From e-matters advisory:
16
17	"We have discovered two flaws within the MySQL server that can be used
18	by any MySQL user to crash the server. Furthermore one of the flaws can
19	be used to bypass the MySQL password check or to execute arbitrary code
20	with the privileges of the user running mysqld.
21
22	We have also discovered an arbitrary size heap overflow within the mysql
23	client library and another vulnerability that allows to write '\0' to any
24	memory address. Both flaws could allow DOS attacks against or arbitrary
25	code execution within anything linked against libmysqlclient."
26
27	Read the full advisory at
28	http://security.e-matters.de/advisories/042002.html
29
30	SOLUTION
31
32	It is recommended that all Gentoo Linux users who are running
33	net-misc/freeswan-3.23.53 and earlier update their systems as follows:
34
35	emerge rsync
36	emerge mysql
37	emerge clean
38
39	- - --------------------------------------------------------------------
40	aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
41	woodchip@g.o
42	- - --------------------------------------------------------------------
43	-----BEGIN PGP SIGNATURE-----
44	Version: GnuPG v1.2.1 (GNU/Linux)
45
46	iD8DBQE9/HS4fT7nyhUpoZMRAh7MAKDDjsF3TdzsFWQ7ZlSgkuQCWyhxjACgifSG
47	xISOZG8+mGVv1S6BQCs4+I8=
48	=AA47
49	-----END PGP SIGNATURE-----

Report Message

Find on MARC Find on Google Groups