-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1608-1 security@debian.org http://www.debian.org/security/ Devin Carraway July 13, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : mysql-dfsg-5.0 Vulnerability : authorization bypass Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-2079 Debian Bug : 480292 Sergei Golubchik discovered that MySQL, a widely-deployed database server, did not properly validate optional data or index directory paths given in a CREATE TABLE statement, nor would it (under proper conditions) prevent two databases from using the same paths for data or index files. This permits an authenticated user with authorization to create tables in one database to read, write or delete data from tables subsequently created in other databases, regardless of other GRANT authorizations. The Common Vulnerabilities and Exposures project identifies this weakness as CVE-2008-2079. For the stable distribution (etch), this problem has been fixed in version 5.0.32-7etch6. Note that the fix applied will have the consequence of disallowing the selection of data or index paths under the database root, which on a Debian system is /var/lib/mysql; database administrators needing to control the placement of these files under that location must do so through other means. We recommend that you upgrade your mysql-dfsg-5.0 packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch6.diff.gz Size/MD5 checksum: 266482 42faf9d31d5bf1674d5b241ff49341cf http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch6.dsc Size/MD5 checksum: 1117 367176f5e877cf3c46c662b87275f901 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch6_all.deb Size/MD5 checksum: 45888 48a61918f72d865970ef48bc4eeb3466 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch6_all.deb Size/MD5 checksum: 54220 72f5ee84fa60b0871600fbe5fd4f5a74 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch6_all.deb Size/MD5 checksum: 47968 e8a2d9a5f13043c67a3d9ba4caa57a3c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_alpha.deb Size/MD5 checksum: 1947356 1cd753a88978d41452bffc772323eb83 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_alpha.deb Size/MD5 checksum: 8909108 61b392dc0be2b82c3e6a5657ad06fca8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_alpha.deb Size/MD5 checksum: 27381852 9e9fc87afceae3cb7c157369843a30ad http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_alpha.deb Size/MD5 checksum: 47992 8798c205394f39c843df143db2ba37af http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_alpha.deb Size/MD5 checksum: 8405314 f52f8049cb3080bca02eeba5c2e14a1d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_amd64.deb Size/MD5 checksum: 47990 3662d9f51257c5fc57e7a20b90a6f33d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_amd64.deb Size/MD5 checksum: 7371044 0fd9eb3504a9958b1f709a48649b41c0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_amd64.deb Size/MD5 checksum: 25815708 3fd278cba985110a578fc8d5bc76f8e9 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_amd64.deb Size/MD5 checksum: 1830958 6cc454236571032d4c723a4084cae535 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_amd64.deb Size/MD5 checksum: 7548576 ce08e3855077d14ddf73d70362faaaf1 arm architecture (ARM) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_arm.deb Size/MD5 checksum: 1748158 271c0b333e4404ac1a3230e13e182c70 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_arm.deb Size/MD5 checksum: 6930330 70477965987251fa25ace71df5c200f7 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_arm.deb Size/MD5 checksum: 25345976 f7908a64856451893285ebaebb4f6125 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_arm.deb Size/MD5 checksum: 48034 90284b682bc77e4401c216f3f49d8995 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_arm.deb Size/MD5 checksum: 7205572 7ebe1cb99dbb00a4db7ee387c2533a44 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_hppa.deb Size/MD5 checksum: 8054566 6ed6093c2dae6999126eacf5309e4474 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_hppa.deb Size/MD5 checksum: 47990 688427cc2115f9260546013364aca60b http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_hppa.deb Size/MD5 checksum: 1922788 5645332118ae75b274e760c448150f1b http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_hppa.deb Size/MD5 checksum: 27172760 bc2bfe60a4ff106fade4da459e07a5eb http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_hppa.deb Size/MD5 checksum: 8004968 53ba9f2f9c169765ad97900efb5f9c1a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_i386.deb Size/MD5 checksum: 1792338 2bfed729400306f35a68d210af5a6666 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_i386.deb Size/MD5 checksum: 7198430 0c542cde542474c58468b52f97890ec2 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_i386.deb Size/MD5 checksum: 6959158 2c879cabd32fec019ebbf110b43c9e62 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_i386.deb Size/MD5 checksum: 47990 ba04b03ff5cfb960c9a7b461fe879928 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_i386.deb Size/MD5 checksum: 25225784 2382d6a8f5e57dc84060b51116b03833 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_ia64.deb Size/MD5 checksum: 2115542 0bb8b1f251231f14bfa27f0138f01a5d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_ia64.deb Size/MD5 checksum: 9737938 41806cfb4504905e6be20f3047aefdf0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_ia64.deb Size/MD5 checksum: 30409676 b6f620c479e5d2a1aa9f9e20e5382849 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_ia64.deb Size/MD5 checksum: 47992 a6d309557d081dc76b60c359977cf805 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_ia64.deb Size/MD5 checksum: 10342514 25e2a3dbf910557ed1899ef1dce83cd8 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_mips.deb Size/MD5 checksum: 48020 7192dc50d43ca3d5710bfe2501fd0ee1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_mips.deb Size/MD5 checksum: 26471616 c8f937742bb947ed1994ee4bfb59f4ea http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_mips.deb Size/MD5 checksum: 1835022 b6d0c5c0eb384329ec2678b43380d8fb http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_mips.deb Size/MD5 checksum: 7759368 7121a9cfcdbf26a89fc95e00113a20fb http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_mips.deb Size/MD5 checksum: 7672846 5fbe3662bc253bda3ccf62c8c78d7cf4 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_mipsel.deb Size/MD5 checksum: 7641076 937625ccc622b46c4c6a5cffeda033ec http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_mipsel.deb Size/MD5 checksum: 1789730 90d351c1551367cc5e77d008236402cd http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_mipsel.deb Size/MD5 checksum: 25845336 ed42a4ccbb7057dc660197fee3566682 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_mipsel.deb Size/MD5 checksum: 47992 1c0eb8257b01d13b4bf0f70d97612e67 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_mipsel.deb Size/MD5 checksum: 7561054 d5fbe5e214b39736f6eb13c2633fd102 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_powerpc.deb Size/MD5 checksum: 7573142 49364df9e5cd4842fd9f72a40589d18c http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_powerpc.deb Size/MD5 checksum: 47990 1eceb3165524be6ce46a6a1cab526a24 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_powerpc.deb Size/MD5 checksum: 7512578 e78ebeed9529c4bddd4976a1181d86e6 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_powerpc.deb Size/MD5 checksum: 26165058 0c20e4fb11a5b89b572d177b86cde355 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_powerpc.deb Size/MD5 checksum: 1832632 7e633b4febc3d0bfcb6c993cf85574c0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_s390.deb Size/MD5 checksum: 7414202 4ff1d98b4b41543fdb24fc3be75b2835 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_s390.deb Size/MD5 checksum: 47988 8734d7200d69ed73cda3c80ec9115247 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_s390.deb Size/MD5 checksum: 7507338 921ca2feff00e5d2c0a36e34403538f0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_s390.deb Size/MD5 checksum: 1952002 ca93cf34f53f7d2c3094157142df632f http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_s390.deb Size/MD5 checksum: 26764624 d785bab765139dcb98872a2b96b85909 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch6_sparc.deb Size/MD5 checksum: 1797778 6df91c9bce65192cdb3063c3111e941d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch6_sparc.deb Size/MD5 checksum: 47992 b7d1d6f2ff76ef9bcf126d2dd773bb72 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch6_sparc.deb Size/MD5 checksum: 7014210 f23cf47cc8b16e28f22c1a13b4a6936c http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch6_sparc.deb Size/MD5 checksum: 25426696 16bfb42f9a4dab6146df47568da158df http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch6_sparc.deb Size/MD5 checksum: 7153268 811916b6dec1eeae2ddb9822dacea994 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIeYhzU5XKDemr/NIRAkq/AKCaaDjIYhDwCU4t4ZJI6ZcNUsav6ACgwn9Q naOfRlIo8CPjdi8hUqt7q64= =+HxO -----END PGP SIGNATURE-----