=========================================================== Ubuntu Security Notice USN-671-1 November 17, 2008 mysql-dfsg-5.0 vulnerabilities CVE-2008-2079, CVE-2008-3963, CVE-2008-4097, CVE-2008-4098 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mysql-server-5.0 5.0.22-0ubuntu6.06.11 Ubuntu 7.10: mysql-server-5.0 5.0.45-1ubuntu3.4 Ubuntu 8.04 LTS: mysql-server-5.0 5.0.51a-3ubuntu5.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. (CVE-2008-2079, CVE-2008-4097 and CVE-2008-4098) It was discovered that MySQL did not handle empty bit-string literals properly. An attacker could exploit this problem and cause the MySQL server to crash, leading to a denial of service. (CVE-2008-3963) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.11.diff.gz Size/MD5: 166038 5bb9d1f41b8a34e3f935d87cf8ea553c http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.11.dsc Size/MD5: 1124 dfb2b087d32df29aa9697dd004c488c4 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22.orig.tar.gz Size/MD5: 18446645 2b8f36364373461190126817ec872031 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.22-0ubuntu6.06.11_all.deb Size/MD5: 38944 2f54e68e4fa140998c0cb78a70fc119e http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.22-0ubuntu6.06.11_all.deb Size/MD5: 41488 ef268bffd224ccf90dd590820de702a7 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.22-0ubuntu6.06.11_all.deb Size/MD5: 38948 6bd7b45911f2bacec67d578ee812f110 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_amd64.deb Size/MD5: 6729886 af2c395368182937c76d5f165d478df3 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_amd64.deb Size/MD5: 1423924 58ca08b4eef39c0e2d34aaa2cddf42cb http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_amd64.deb Size/MD5: 6897622 fc9e0c76dbde4321de287a102c002db2 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_amd64.deb Size/MD5: 22493516 ec7f8f5c669bb7f1ca0b7d54bd63ca7d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_i386.deb Size/MD5: 6142732 d411a303d293fd8559f042ce230615d1 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_i386.deb Size/MD5: 1384350 1dcfa047e463b45f45942ac0bea623b1 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_i386.deb Size/MD5: 6280092 9a555aa506be5086d952af12afbf5b3d http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_i386.deb Size/MD5: 21352916 0285f357ed2a35ecbd81b7f13fcbe0dd powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_powerpc.deb Size/MD5: 6886660 c3f1cef7637a94b3c4ba3d3cc74a4a36 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_powerpc.deb Size/MD5: 1464208 1ab2aa38f4e27b74e3d3e962e44977e3 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_powerpc.deb Size/MD5: 6944814 311ed284fb1456d3e20fc49b53ae1020 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_powerpc.deb Size/MD5: 22708138 87480f1d414b63dd32f9bc017786573e sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.11_sparc.deb Size/MD5: 6435552 66ae0f7ef9fef58a118965e54af6d751 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.11_sparc.deb Size/MD5: 1436346 e2c0b9566472e770eb2d58be24de248c http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.11_sparc.deb Size/MD5: 6542200 09a89f54af6584167a1cae9cffbc735f http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.11_sparc.deb Size/MD5: 21974286 cab9ee96e01b4df8243bf74767819088 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45-1ubuntu3.4.diff.gz Size/MD5: 243362 6b79d30861b757447d41706e3731e395 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45-1ubuntu3.4.dsc Size/MD5: 1302 9a87569e45aded8c98c43d53c12d30de http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45.orig.tar.gz Size/MD5: 17801680 ab450aa2e9b89f3b4e01fd12375b1bee Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.45-1ubuntu3.4_all.deb Size/MD5: 48538 8338809ac72972866d2363a6ce681c15 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.45-1ubuntu3.4_all.deb Size/MD5: 56744 71342b47c409b2b4e4ead8c8cef4e7f8 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.45-1ubuntu3.4_all.deb Size/MD5: 50738 2e37d678979ce0a893092d1ff949d4e1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_amd64.deb Size/MD5: 7564626 120e18e6fc2d3208b0531cac5d8209a0 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_amd64.deb Size/MD5: 1917186 838695d874b436643792bec417299410 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_amd64.deb Size/MD5: 7999284 e73b18453d17f783e5e4c4653e7ff893 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_amd64.deb Size/MD5: 27571570 6f0e6edd92ab9f107149952c4fc5e14d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_i386.deb Size/MD5: 7043450 a33ba64ed57deb1bef09ddae94abe8c0 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_i386.deb Size/MD5: 1867614 f16cc5ff9ffdf951f47da895a4f40f93 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_i386.deb Size/MD5: 7497426 43ab893a69ae8bf09d8795281509d50d http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_i386.deb Size/MD5: 26786564 33eceaf638a2d9042d32b41b2498394a lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_lpia.deb Size/MD5: 7023394 ce3cbd8d1d3636158e26aac448f17e6e http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_lpia.deb Size/MD5: 1843862 33187655eeaf528d82620681bab73a9b http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_lpia.deb Size/MD5: 7518330 457f957ebbf1cc88d7bd433354b99d8b http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_lpia.deb Size/MD5: 26760376 b52d4eea4a46f8eab45d1b991dd6bfae powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_powerpc.deb Size/MD5: 7762838 9ba0474b47f276590162a3c85c0d382f http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_powerpc.deb Size/MD5: 1949498 2fe6fd7147097a2dbe1768b12a505fc9 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_powerpc.deb Size/MD5: 8066000 0a14243fe3631806abb5de27bd3e03dc http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_powerpc.deb Size/MD5: 28023398 138612db5e9249bb2c54f4d71a0914d3 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-1ubuntu3.4_sparc.deb Size/MD5: 7173132 2b4016c87626737b6a970ed169c80a24 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-1ubuntu3.4_sparc.deb Size/MD5: 1877642 14963beda22c01f734c403822d561ef8 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-1ubuntu3.4_sparc.deb Size/MD5: 7583722 c1a60b545f38172c683d76ea953f41f6 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-1ubuntu3.4_sparc.deb Size/MD5: 27140728 b79d11ad9b4cf9b20a92ca1bfccf6eeb Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-3ubuntu5.4.diff.gz Size/MD5: 314416 a98a2519ef59bc5b0cef4940c4961f35 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-3ubuntu5.4.dsc Size/MD5: 1430 57f5a32ccf3d46aefcb56407fc238007 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a.orig.tar.gz Size/MD5: 17946664 6fae978908ad5eb790fa3f24f16dadba Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-3ubuntu5.4_all.deb Size/MD5: 52052 8200893fa342e477a2af354d141015e7 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-3ubuntu5.4_all.deb Size/MD5: 60302 8e8d4aa0af490eeadde3d1684c669de1 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-3ubuntu5.4_all.deb Size/MD5: 54240 34a21b40b4e18dd8dbfbf5ca30fd8e53 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_amd64.deb Size/MD5: 7594702 71f4511bd9ce2275d080bf4f27e8f4dd http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_amd64.deb Size/MD5: 1877812 afa3900abcb025df70ccc444444a006a http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_amd64.deb Size/MD5: 8241010 cdb59824c82d8412a4f324f38f9c1260 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_amd64.deb Size/MD5: 28018274 b106f4f668381cd55a5da7d40be9e7ce i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_i386.deb Size/MD5: 7216262 f252c8299c00e805022a99374561eeba http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_i386.deb Size/MD5: 1836766 247b3c027653b3f6cd9b89320ba7572e http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_i386.deb Size/MD5: 7826312 f948d312520c64c0d73982e162201f09 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_i386.deb Size/MD5: 27427752 090b315903161e7f72d0b7e2be804ee1 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_lpia.deb Size/MD5: 7160694 d0bd82cf31dae1cec8ca04241baba49d http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_lpia.deb Size/MD5: 1826820 3bb18a419dceccfb58aa5d3cd99bf31a http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_lpia.deb Size/MD5: 7840058 80f24b9ce82a2f93f4ed8ce635114e7a http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_lpia.deb Size/MD5: 27357990 65e92cb0e552509a820410351456fa97 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_powerpc.deb Size/MD5: 7587468 045eee93159914db564084d88a3d5304 http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_powerpc.deb Size/MD5: 1915302 eef9aedee7b37cb81a9a980d42049406 http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_powerpc.deb Size/MD5: 8241574 7f57a684310fe601446729a3e539b49f http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_powerpc.deb Size/MD5: 28344344 d3be9955a55a22ced19fe9d25b129bd6 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-3ubuntu5.4_sparc.deb Size/MD5: 7199786 d2c692836274f21677499177121e046b http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-3ubuntu5.4_sparc.deb Size/MD5: 1846000 b0456b96173850dfa4eb597c4d42f4ac http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-3ubuntu5.4_sparc.deb Size/MD5: 7830916 cd55ac1ad14ce9713de2e8c9397c1018 http://ports.ubuntu.com/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-3ubuntu5.4_sparc.deb Size/MD5: 27642386 8cf989c15071150c10abc1175c048022