Debian Bug report logs - #319526
mysql-server: An update to MySQL version 4.1.12 fixes a low-impact security problem

version graph

Package: mysql-server; Maintainer for mysql-server is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>; Source for mysql-server is src:mysql-5.5.

Reported by: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>

Date: Fri, 22 Jul 2005 20:18:07 UTC

Severity: grave

Tags: confirmed, patch, sarge, security

Found in version n/a

Fixed in version mysql-server/4.1.11a-4sarge1

Done: Matt Kraai <kraai@ftbfs.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#319526; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
New Bug report received and forwarded. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mysql-server: An update to MySQL version 4.1.12 fixes a low-impact security problem
Date: Fri, 22 Jul 2005 22:11:37 +0200
Package: mysql-server
Version: N/A; reported 2005-07-22
Severity: normal
Tags: security

Hello,
I found this info on lwn
http://lwn.net/Articles/144440/

There seems to be some fix in the Red Hat package. Sorry if that
already has been dealt with (it has now CAN to check it). Otherwise
please adjust the severity (they just cite some bz-numbers, do not
give details). Maybe you can, via the security team, request a CAN? 

Sorry for this vague report, you can probably check the details much
better than I can.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux zibal 2.4.27-grsec #1 Wed Dec 22 15:20:05 CET 2004 i686
Locale: LANG=en_US, LC_CTYPE=en_US




Severity set to `grave'. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#319526; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #14 received at 319526@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 319526@bugs.debian.org
Cc: control@bugs.debian.org
Subject: [patch] for CAN-2005-1636
Date: Mon, 1 Aug 2005 01:36:25 +0200
[Message part 1 (text/plain, inline)]
tags 319526 + confirmed patch pending
thanks

Hello

The attached patch has been forwarded separately to the Security Team
which will probably make a DSA from it.

bye,

-christian-

[mysql-dfsg-4.1__SARGE__CAN-2005-1636.diff (text/plain, attachment)]

Tags added: confirmed, patch, pending Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#319526; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #21 received at 319526@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: team@security.debian.org, Sean Finney <seanius@debian.org>, 319526@bugs.debian.org
Subject: MySQL security bug in sarge (CAN-2005-1636)
Date: Sun, 14 Aug 2005 23:16:24 +0200
Hello Security Team

Are you aware of this bug? The "interdiff" patch are already in the BTS.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319526
      Applied the upstream patch that fixes a tempfile vulnerability in the
      mysqld_install_db script that was found by Eric Romang and allows an
      attacker to execute arbitrary SQL commands when the server is installed
      or updated. The issue is known as CAN-2005-1636, the patch was made by
      comparing this version against the one from 4.1.12. 

bye,

-christian-



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#319526; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #26 received at 319526@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Christian Hammers <ch@debian.org>
Cc: team@security.debian.org, Sean Finney <seanius@debian.org>, 319526@bugs.debian.org
Subject: Re: MySQL security bug in sarge (CAN-2005-1636)
Date: Fri, 19 Aug 2005 15:47:49 +0200
Christian Hammers wrote:
> Hello Security Team
> 
> Are you aware of this bug? The "interdiff" patch are already in the BTS.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319526
>       Applied the upstream patch that fixes a tempfile vulnerability in the
>       mysqld_install_db script that was found by Eric Romang and allows an
>       attacker to execute arbitrary SQL commands when the server is installed
>       or updated. The issue is known as CAN-2005-1636, the patch was made by
>       comparing this version against the one from 4.1.12. 

Thanks a lot for the update!
I'll build packages, but will strip off the po file updates.

Regards,

	Joey

-- 
The good thing about standards is that there are so many to choose from.
		-- Andrew S. Tanenbaum

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#319526; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #31 received at 319526@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 319526@bugs.debian.org
Subject: Re: MySQL security bug in sarge (CAN-2005-1636)
Date: Tue, 23 Aug 2005 18:23:04 +0200
Martin Schulze wrote:
> Christian Hammers wrote:
> > Hello Security Team
> > 
> > Are you aware of this bug? The "interdiff" patch are already in the BTS.
> > 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319526
> >       Applied the upstream patch that fixes a tempfile vulnerability in the
> >       mysqld_install_db script that was found by Eric Romang and allows an
> >       attacker to execute arbitrary SQL commands when the server is installed
> >       or updated. The issue is known as CAN-2005-1636, the patch was made by
> >       comparing this version against the one from 4.1.12. 
> 
> Thanks a lot for the update!
> I'll build packages, but will strip off the po file updates.

Which package in unstable will fix this problem?  Or is it not present
in that distribution?

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#319526; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #36 received at 319526@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Christian Hammers <ch@debian.org>, team@security.debian.org, 319526@bugs.debian.org
Subject: Re: MySQL security bug in sarge (CAN-2005-1636)
Date: Tue, 23 Aug 2005 12:47:29 -0400
[Message part 1 (text/plain, inline)]
hey folks,

On Tue, Aug 23, 2005 at 06:23:04PM +0200, Martin Schulze wrote:
> Which package in unstable will fix this problem?  Or is it not present
> in that distribution?

i believe that the problem has been fixed since 4.1.12 for the sid-4.1
series, and that the the latest version of 5.0 already contains the fix.
i have no idea about the status of sarge-4.0, and afaik sid-4.0
is supposed to disappear in the near future if it hasn't already.


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>:
Bug#319526; Package mysql-server. Full text and rfc822 format available.

Acknowledgement sent to pop.10829@mail3b.westend.com:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>. Full text and rfc822 format available.

Message #41 received at 319526@bugs.debian.org (full text, mbox):

From: pop.10829@mail3b.westend.com
To: "Sean Finney" <seanius@debian.org>, 319526@bugs.debian.org
Subject: Re: Bug#319526: MySQL security bug in sarge (CAN-2005-1636)
Date: Wed, 24 Aug 2005 17:45:40 +0200 (CEST)
> hey folks,
>
> On Tue, Aug 23, 2005 at 06:23:04PM +0200, Martin Schulze wrote:
>> Which package in unstable will fix this problem?  Or is it not present
>> in that distribution?
>
> i believe that the problem has been fixed since 4.1.12 for the sid-4.1
> series, and that the the latest version of 5.0 already contains the fix.
> i have no idea about the status of sarge-4.0, and afaik sid-4.0
> is supposed to disappear in the near future if it hasn't already.

(from holidays)
yes, sid-4.0, providing libmysqlclient12, is supposed to be removed as
soon as there are no applications left that link against that
libmysqlclient version. this sadly can take some time as RM asked to
postpone the transition after gcc is done...

-christian-




Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #46 received at 319526-done@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 319526-done@bugs.debian.org
Subject: Re: Bug#319526: mysql-server: An update to MySQL version 4.1.12 fixes a low-impact security problem
Date: Thu, 15 Sep 2005 21:34:54 +0200
This has been fixed in DSA783.

bye,

-christian-



Bug marked as fixed in version 4.1.11a-4sarge1, send any further explanations to Helge Kreutzmann <kreutzm@itp.uni-hannover.de> Request was from Matt Kraai <kraai@ftbfs.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 23:39:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:49:25 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.