[RHSA-2005:685-01] Low: mysql security update

bugzilla at redhat.com bugzilla at redhat.com
Wed Oct 5 13:49:52 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Low: mysql security update
Advisory ID:       RHSA-2005:685-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-685.html
Issue date:        2005-10-05
Updated on:        2005-10-05
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2005-1636
- ---------------------------------------------------------------------

1. Summary:

Updated mysql packages that fix a temporary file flaw and a number of bugs
are now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld)
and many different client programs and libraries.

An insecure temporary file handling bug was found in the mysql_install_db
script. It is possible for a local user to create specially crafted files
in /tmp which could allow them to execute arbitrary SQL commands during
database installation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-1636 to this issue.

These packages update mysql to version 4.1.12, fixing a number of problems.
Also, support for SSL-encrypted connections to the database server is now
provided.

All users of mysql are advised to upgrade to these updated packages.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

158688 - CAN-2005-1636 mysql insecure temporary file creation
163694 - Parser issue with subqueries involving unions


6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/mysql-4.1.12-3.RHEL4.1.src.rpm
06e04af590c86c1563668213e4d9a2af  mysql-4.1.12-3.RHEL4.1.src.rpm

i386:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
020b65a1397177687bd7455a2946739e  mysql-bench-4.1.12-3.RHEL4.1.i386.rpm
6db5ab9c7b09d927988e39a9d53b8261  mysql-devel-4.1.12-3.RHEL4.1.i386.rpm
6694cc9ad90191d03cdc67ad9614d26c  mysql-server-4.1.12-3.RHEL4.1.i386.rpm

ia64:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
bb35d80e1f827aa5de0f01aee29faa6a  mysql-4.1.12-3.RHEL4.1.ia64.rpm
47cb300d4bf12c8563eb1c8babfd103b  mysql-bench-4.1.12-3.RHEL4.1.ia64.rpm
47f9b68213f3037db70832795eb3a5b0  mysql-devel-4.1.12-3.RHEL4.1.ia64.rpm
0613e4169cee5ac1bde69212803b6aaa  mysql-server-4.1.12-3.RHEL4.1.ia64.rpm

ppc:
b54a2d7a5a9029db69c3cf0307003f8d  mysql-4.1.12-3.RHEL4.1.ppc.rpm
9d53cef62c768f37a223d90cafdfe4c4  mysql-4.1.12-3.RHEL4.1.ppc64.rpm
7a0d7f6729411842fbcab18a558c25f9  mysql-bench-4.1.12-3.RHEL4.1.ppc.rpm
ff15dfca4f080127a684753711c2c705  mysql-devel-4.1.12-3.RHEL4.1.ppc.rpm
5e18e3db31abbd644f798537b505febd  mysql-server-4.1.12-3.RHEL4.1.ppc.rpm

s390:
a4f9deb608170942ef88157f16bc9559  mysql-4.1.12-3.RHEL4.1.s390.rpm
cf62bace4cd06dab150abd0571b6e927  mysql-bench-4.1.12-3.RHEL4.1.s390.rpm
54fa0f151e8322cfb0f677bbf3a0d618  mysql-devel-4.1.12-3.RHEL4.1.s390.rpm
b302582504491c3fcdf496ed13b20c3f  mysql-server-4.1.12-3.RHEL4.1.s390.rpm

s390x:
a4f9deb608170942ef88157f16bc9559  mysql-4.1.12-3.RHEL4.1.s390.rpm
6882bb7f89b988c796c5694c6e133921  mysql-4.1.12-3.RHEL4.1.s390x.rpm
7997f5fa03a7cb80c1e8da506f82a61f  mysql-bench-4.1.12-3.RHEL4.1.s390x.rpm
0d61968abd9ae0d268ee77a7f893427e  mysql-devel-4.1.12-3.RHEL4.1.s390x.rpm
18ff4f1f10b15f1446e3bac9d5f16aa0  mysql-server-4.1.12-3.RHEL4.1.s390x.rpm

x86_64:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
c93a847cf892e5b9ff0941221dc17891  mysql-4.1.12-3.RHEL4.1.x86_64.rpm
d28e2f3914e10b19212b969193c20386  mysql-bench-4.1.12-3.RHEL4.1.x86_64.rpm
c4bc3aa53d8f14d35c13f6bff7cd9d9c  mysql-devel-4.1.12-3.RHEL4.1.x86_64.rpm
c8426a10d3f2a56ccf30eae19dc78a01  mysql-server-4.1.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/mysql-4.1.12-3.RHEL4.1.src.rpm
06e04af590c86c1563668213e4d9a2af  mysql-4.1.12-3.RHEL4.1.src.rpm

i386:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
020b65a1397177687bd7455a2946739e  mysql-bench-4.1.12-3.RHEL4.1.i386.rpm
6db5ab9c7b09d927988e39a9d53b8261  mysql-devel-4.1.12-3.RHEL4.1.i386.rpm
6694cc9ad90191d03cdc67ad9614d26c  mysql-server-4.1.12-3.RHEL4.1.i386.rpm

x86_64:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
c93a847cf892e5b9ff0941221dc17891  mysql-4.1.12-3.RHEL4.1.x86_64.rpm
d28e2f3914e10b19212b969193c20386  mysql-bench-4.1.12-3.RHEL4.1.x86_64.rpm
c4bc3aa53d8f14d35c13f6bff7cd9d9c  mysql-devel-4.1.12-3.RHEL4.1.x86_64.rpm
c8426a10d3f2a56ccf30eae19dc78a01  mysql-server-4.1.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/mysql-4.1.12-3.RHEL4.1.src.rpm
06e04af590c86c1563668213e4d9a2af  mysql-4.1.12-3.RHEL4.1.src.rpm

i386:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
020b65a1397177687bd7455a2946739e  mysql-bench-4.1.12-3.RHEL4.1.i386.rpm
6db5ab9c7b09d927988e39a9d53b8261  mysql-devel-4.1.12-3.RHEL4.1.i386.rpm
6694cc9ad90191d03cdc67ad9614d26c  mysql-server-4.1.12-3.RHEL4.1.i386.rpm

ia64:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
bb35d80e1f827aa5de0f01aee29faa6a  mysql-4.1.12-3.RHEL4.1.ia64.rpm
47cb300d4bf12c8563eb1c8babfd103b  mysql-bench-4.1.12-3.RHEL4.1.ia64.rpm
47f9b68213f3037db70832795eb3a5b0  mysql-devel-4.1.12-3.RHEL4.1.ia64.rpm
0613e4169cee5ac1bde69212803b6aaa  mysql-server-4.1.12-3.RHEL4.1.ia64.rpm

x86_64:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
c93a847cf892e5b9ff0941221dc17891  mysql-4.1.12-3.RHEL4.1.x86_64.rpm
d28e2f3914e10b19212b969193c20386  mysql-bench-4.1.12-3.RHEL4.1.x86_64.rpm
c4bc3aa53d8f14d35c13f6bff7cd9d9c  mysql-devel-4.1.12-3.RHEL4.1.x86_64.rpm
c8426a10d3f2a56ccf30eae19dc78a01  mysql-server-4.1.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/mysql-4.1.12-3.RHEL4.1.src.rpm
06e04af590c86c1563668213e4d9a2af  mysql-4.1.12-3.RHEL4.1.src.rpm

i386:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
020b65a1397177687bd7455a2946739e  mysql-bench-4.1.12-3.RHEL4.1.i386.rpm
6db5ab9c7b09d927988e39a9d53b8261  mysql-devel-4.1.12-3.RHEL4.1.i386.rpm
6694cc9ad90191d03cdc67ad9614d26c  mysql-server-4.1.12-3.RHEL4.1.i386.rpm

ia64:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
bb35d80e1f827aa5de0f01aee29faa6a  mysql-4.1.12-3.RHEL4.1.ia64.rpm
47cb300d4bf12c8563eb1c8babfd103b  mysql-bench-4.1.12-3.RHEL4.1.ia64.rpm
47f9b68213f3037db70832795eb3a5b0  mysql-devel-4.1.12-3.RHEL4.1.ia64.rpm
0613e4169cee5ac1bde69212803b6aaa  mysql-server-4.1.12-3.RHEL4.1.ia64.rpm

x86_64:
d42c715e724da17f9e1bdd922fdb2f34  mysql-4.1.12-3.RHEL4.1.i386.rpm
c93a847cf892e5b9ff0941221dc17891  mysql-4.1.12-3.RHEL4.1.x86_64.rpm
d28e2f3914e10b19212b969193c20386  mysql-bench-4.1.12-3.RHEL4.1.x86_64.rpm
c4bc3aa53d8f14d35c13f6bff7cd9d9c  mysql-devel-4.1.12-3.RHEL4.1.x86_64.rpm
c8426a10d3f2a56ccf30eae19dc78a01  mysql-server-4.1.12-3.RHEL4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1636

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFDQ9nbXlSAg2UNWIIRAjJfAJ0f7jL8qkq344DYnP4sVteX80ZmfwCgk1Qc
ewofRR7SmRUM5Li9Kt2bwyk=
=8uXc
-----END PGP SIGNATURE-----

More information about the Enterprise-watch-list mailing list