Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: mysql (200303-14)
Date: Wed, 19 Mar 2003 16:07:49
Message-Id: 20030318181216.1CFFD5763@mail2.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200303-14
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : mysql
9 SUMMARY : remote root exploit
10 DATE : 2003-03-18 18:12 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : <3.23.56
13 FIXED VERSION : >=3.23.56
14 CVE :
15
16 - - ---------------------------------------------------------------------
17
18 "This issue has been adressed in 3.23.56 (release build is started
19 today), and some steps were taken to alleviate the threat.
20
21 In particular, MySQL will no longer read config files that are
22 world-writeable (and SELECT ... OUTFILE always creates world-writeable
23 files). Also, unlike other options, for --user option the first one will
24 have the precedence. So if --user is set in /etc/my.cnf (as it is
25 recommended in the manual), datadir/my.cnf will not be able to override
26 it."
27
28 quote from:
29 http://marc.theaimsgroup.com/?l=bugtraq&m=104739810523433&w=2
30
31 SOLUTION
32
33 It is recommended that all Gentoo Linux users who are running
34 dev-db/mysql upgrade to mysql-3.23.56 as follows:
35
36 emerge sync
37 emerge mysql
38 emerge clean
39
40 - - ---------------------------------------------------------------------
41 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
42 - - ---------------------------------------------------------------------
43 -----BEGIN PGP SIGNATURE-----
44 Version: GnuPG v1.2.1 (GNU/Linux)
45
46 iD8DBQE+d2GffT7nyhUpoZMRAiDNAJ9CABOwtIrF3njTkLBxCO2SdvtsugCeMqqH
47 SSeumvMyzTQCfb0/C4I1nIU=
48 =HMcb
49 -----END PGP SIGNATURE-----