Debian Bug report logs - #480292
CVE-2008-2079: mysql allows local users to bypass certain privilege checks

version graph

Package: mysql-server-5.0; Maintainer for mysql-server-5.0 is (unknown);

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 9 May 2008 11:09:02 UTC

Severity: grave

Tags: patch, pending, security

Fixed in version mysql-dfsg-5.0/5.0.51a-10

Done: Norbert Tretkowski <nobse@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#480292; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-2079: mysql allows local users to bypass certain privilege checks
Date: Fri, 09 May 2008 21:02:35 +1000
Package: mysql-server-5.0
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE(0) has been issued against mysql.

CVE-2008-2079:

MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and
6.0.x before 6.0.5 allows local users to bypass certain privilege checks
by calling CREATE TABLE on a MyISAM table with modified (1) DATA
DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL
home data directory, which can point to tables that are created in the
future.

Please mention the CVE id in your changelog, if you fix the issue by an
upload.

The mysql bugreport can be found here(1).


Cheers
Steffen

(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079

(1): http://bugs.mysql.com/bug.php?id=32167




Tags added: pending Request was from Norbert Tretkowski <nobse@alioth.debian.org> to control@bugs.debian.org. (Fri, 09 May 2008 13:06:50 GMT) Full text and rfc822 format available.

Tags removed: pending Request was from ntretkow@rollcage.tretkowski.de (Norbert Tretkowski) to control@bugs.debian.org. (Sat, 10 May 2008 06:42:04 GMT) Full text and rfc822 format available.

Tags added: pending Request was from Monty Taylor <mtaylor-guest@alioth.debian.org> to control@bugs.debian.org. (Wed, 14 May 2008 08:21:13 GMT) Full text and rfc822 format available.

Tags added: pending Request was from Norbert Tretkowski <nobse@alioth.debian.org> to control@bugs.debian.org. (Mon, 26 May 2008 19:09:05 GMT) Full text and rfc822 format available.

Tags added: pending Request was from Norbert Tretkowski <nobse@alioth.debian.org> to control@bugs.debian.org. (Thu, 05 Jun 2008 09:36:02 GMT) Full text and rfc822 format available.

Reply sent to Norbert Tretkowski <nobse@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 480292-close@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <nobse@debian.org>
To: 480292-close@bugs.debian.org
Subject: Bug#480292: fixed in mysql-dfsg-5.0 5.0.51a-7
Date: Mon, 09 Jun 2008 15:17:58 +0000
Source: mysql-dfsg-5.0
Source-Version: 5.0.51a-7

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:

libmysqlclient15-dev_5.0.51a-7_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-7_amd64.deb
libmysqlclient15off_5.0.51a-7_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-7_amd64.deb
mysql-client-5.0_5.0.51a-7_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-7_amd64.deb
mysql-client_5.0.51a-7_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-7_all.deb
mysql-common_5.0.51a-7_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-7_all.deb
mysql-dfsg-5.0_5.0.51a-7.diff.gz
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-7.diff.gz
mysql-dfsg-5.0_5.0.51a-7.dsc
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-7.dsc
mysql-server-5.0_5.0.51a-7_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-7_amd64.deb
mysql-server_5.0.51a-7_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480292@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated mysql-dfsg-5.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 05 Jun 2008 11:49:45 +0200
Source: mysql-dfsg-5.0
Binary: libmysqlclient15off libmysqlclient15-dev mysql-common mysql-client-5.0 mysql-server-5.0 mysql-server mysql-client
Architecture: source all amd64
Version: 5.0.51a-7
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description: 
 libmysqlclient15-dev - MySQL database development files
 libmysqlclient15off - MySQL database client library
 mysql-client - MySQL database client (meta package depending on the latest versi
 mysql-client-5.0 - MySQL database client binaries
 mysql-common - MySQL database common files
 mysql-server - MySQL database server (meta package depending on the latest versi
 mysql-server-5.0 - MySQL database server binaries
Closes: 480292 480362 480525 480647 480940 481154 481303 484012
Changes: 
 mysql-dfsg-5.0 (5.0.51a-7) unstable; urgency=high
 .
   [ Norbert Tretkowski ]
   * SECURITY:
     Fix for CVE-2008-2079: It was possible to circumvent privileges through
     the creation of MyISAM tables employing the DATA DIRECTORY and INDEX
     DIRECTORY options to overwrite existing table files in the MySQL data
     directory. Use of the MySQL data directory in DATA DIRECTORY and INDEX
     DIRECTORY is now disallowed. Patch from openSUSE 11.0, thanks to Michal
     Marek. (closes: #480292)
   * Fix build on non-linux systems, like hurd-i386. (closes: #480362)
   * Include symlinks for mysqlcheck. (closes: #480647)
 .
   [ Monty Taylor ]
   * Remove ndb_cpcd, as it is only for the NDB test suite and not useful as a
     public program.
   * Fix debian-start.inc.sh for table names with characters needing quotes.
     Thanks Felix Rublack! (closes: #480525, #481154, #481303, #484012)
   * Delete mysql-common.README.Debian. Nothing in it was relevant, and the
     useful information is in mysql-server anyway. (closes: #480940)
   * Remove a spurious HOME= in logrotate script.
Checksums-Sha1: 
 57643d5239c48fd35e785aebdadcb25291c89001 1707 mysql-dfsg-5.0_5.0.51a-7.dsc
 eae09f182999f70bd8215e4a799397b556a80456 299989 mysql-dfsg-5.0_5.0.51a-7.diff.gz
 7ffb9d13bf57a8a54d0d5369c20eaecc47760ab3 58532 mysql-common_5.0.51a-7_all.deb
 8df20d214330d2d8ea262c8c2640a43581883523 52918 mysql-server_5.0.51a-7_all.deb
 c0a5b912e035ed1aff00392ef109d521ed94837f 50720 mysql-client_5.0.51a-7_all.deb
 0fc0a9c02720f61ef021b0426616b07611d70f33 1903040 libmysqlclient15off_5.0.51a-7_amd64.deb
 d4ce46af7286c7c218d0d91f93b41c68e164a255 7585870 libmysqlclient15-dev_5.0.51a-7_amd64.deb
 af19870608a8d1ab910ca31dbb863f9031230e81 8205504 mysql-client-5.0_5.0.51a-7_amd64.deb
 678aa1f41b27fd1158535eeebb4ede94f1cef931 27145444 mysql-server-5.0_5.0.51a-7_amd64.deb
Checksums-Sha256: 
 f5842259a650fac6bf89130ac6ef87d7d6f299346fec155397bf998f1751aaee 1707 mysql-dfsg-5.0_5.0.51a-7.dsc
 d07d5185a7b190d59587b7089d82d45e214a3627fc26cca4aac18596fcce5d03 299989 mysql-dfsg-5.0_5.0.51a-7.diff.gz
 9ef3aa75b6e809b70fefb1cc8c56c8a7a291abf022a07c1502afa2c9fcb246b5 58532 mysql-common_5.0.51a-7_all.deb
 d883dee56daeb7bd79ba980d4ba0e1ec88e24015c684506a9ceba8e25210be11 52918 mysql-server_5.0.51a-7_all.deb
 22cac98b62a24d638e535707e6fafdb9204576482654160e57094f9f11d7e2e9 50720 mysql-client_5.0.51a-7_all.deb
 90ec8bb7701a37e72bf8b68153a0dc9f340c83f75556897bc81635a093fba124 1903040 libmysqlclient15off_5.0.51a-7_amd64.deb
 14227ecfe87684c1b7973e1b4204ca23b028e6aba356dbb04e2b3173a4799b0d 7585870 libmysqlclient15-dev_5.0.51a-7_amd64.deb
 b1d06c3c4bad000068a51cfb1454720ca9370de7163abdb78b227a6144213f71 8205504 mysql-client-5.0_5.0.51a-7_amd64.deb
 b514df7a05efde5313fe13bd76914ba51af5ed8a38c1b930e6ffae9b41711111 27145444 mysql-server-5.0_5.0.51a-7_amd64.deb
Files: 
 d89b2a6c7506199c1871bdc698ebe9a4 1707 misc optional mysql-dfsg-5.0_5.0.51a-7.dsc
 9c0bee7e11af2b6ab839ae4aba5a7df1 299989 misc optional mysql-dfsg-5.0_5.0.51a-7.diff.gz
 0fd93935fb13f2d037f24d311cd8ad2a 58532 misc optional mysql-common_5.0.51a-7_all.deb
 d18928e60b2d4982cbb877be8c7f4e43 52918 misc optional mysql-server_5.0.51a-7_all.deb
 75bb116851bc93a5d2a731ad1ec9a007 50720 misc optional mysql-client_5.0.51a-7_all.deb
 5b59994bd58924f432f27ff49430f4f2 1903040 libs optional libmysqlclient15off_5.0.51a-7_amd64.deb
 76061b0ccfe005dc42641f23947a15d5 7585870 libdevel optional libmysqlclient15-dev_5.0.51a-7_amd64.deb
 e08f320969cf95631ed1017e8d46555c 8205504 misc optional mysql-client-5.0_5.0.51a-7_amd64.deb
 e7104da281fce2826c89ba146da91ace 27145444 misc optional mysql-server-5.0_5.0.51a-7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFITSSLr/RnCw96jQERArbeAJ0dOrzX7nzeU09tQDPihKCncS5tXACeIrV3
OUAe/RsgreYKkaHiylGgeAw=
=PDj+
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#480292; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 480292@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: 480292@bugs.debian.org
Cc: control@bugs.debian.org, team@security.debian.org
Subject: Re: CVE-2008-2079: mysql allows local users to bypass certain privilege checks
Date: Thu, 3 Jul 2008 00:35:58 -0700
[Message part 1 (text/plain, inline)]
reopen 480292
quit

I don't believe that the patch applied to address this bug was sufficient.  In
preparing the stable update I initially applied it, before finding two things:

First, fn_format() only calls readlink() once on the entire path, not on any
component thereof; hence it will only actually detect when the last component
of a path was a symlink.  Exploiting this merely requires adding another path
component below the symlink path -- for example:

	$ ls -l /tmp/foo
	lrwxrwxrwx 1 aqua 1000 14 Jul  3 05:36 /tmp/foo -> /var/lib/mysql

	mysql> use test1 ;
	Database changed

	mysql> create table t (a int) data directory '/tmp/foo' ;
	ERROR 1210 (HY000): Incorrect arguments to DATA DIRECORY

	mysql> create table t (a int) data directory '/tmp/foo/mysql' ;
	Query OK, 0 rows affected (0.02 sec)

	$ ls -l /var/lib/mysql/mysql/t.MYD 
	-rw-rw---- 1 mysql mysql 0 Jul  3 07:27 /var/lib/mysql/mysql/t.MYD

Second, even if fn_format() did fully resolve symlinks in the path, its output
is actually ignored; this is an except from 92_SECURITY_CVE-2008-2079.dpatch
in mysql-dfsg-5.0 5.0.51a-9:

	+static bool test_if_data_home_dir(const char *dir)
	+{
	[...]
	+  (void) fn_format(path, dir, "", "",
	+                   (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
	+  dir_len= unpack_dirname(conv_path, dir);
	[...]
	+    else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len))
	+      DBUG_RETURN(1);

fn_format reads the potentially hostile 'dir' and writes the marginally
readlink()'ed result to 'path'.  But unpack_dirname is passed 'dir' again, not
'path', so it's the origianl string which is used in the subsequent
comparison.

In terms of exploitability, this allows any user with permissions to create
tables in a db the ability to read from, write to and delete tables from any
other database within the same mysql instance.


-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Devin Carraway <devin@debian.org> to control@bugs.debian.org. (Thu, 03 Jul 2008 07:39:26 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#480292; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #32 received at 480292@bugs.debian.org (full text, mbox):

From: Tomas Hoger <thoger@redhat.com>
To: Devin Carraway <devin@debian.org>
Cc: 480292@bugs.debian.org
Subject: Re: CVE-2008-2079: mysql allows local users to bypass certain privilege checks
Date: Fri, 4 Jul 2008 14:56:00 +0200
Hi Devin!

Looks like upstream patch is incomplete.  Have you already notified
upstream about the problem?

> In terms of exploitability, this allows any user with permissions to
> create tables in a db the ability to read from, write to and delete
> tables from any other database within the same mysql instance.

Can you possibly explain this a little closer?  MySQL should not allow
you to overwrite existing tables via DATA/INDEX DIRECTORY directives.
So you can only get access to tables created in the future, if you can
predict their names.  Or have you managed to escalate privileges to
already existing tables using this flaw?

Thanks!

-- 
Tomas Hoger




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#480292; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #37 received at 480292@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: Tomas Hoger <thoger@redhat.com>
Cc: Devin Carraway <devin@debian.org>, 480292@bugs.debian.org
Subject: Re: CVE-2008-2079: mysql allows local users to bypass certain privilege checks
Date: Sun, 6 Jul 2008 14:42:31 -0700
[Message part 1 (text/plain, inline)]
On Fri, Jul 04, 2008 at 02:56:00PM +0200, Tomas Hoger wrote:
> Looks like upstream patch is incomplete.  Have you already notified
> upstream about the problem?

Not yet -- I still need to hand verify it against a pristine upstream; it's
reproducible with 5.0.51a from Sid, but the implementation of the path check
has changed significantly from the original patch.  I'll look into that once I
get a workable fix out for etch.


> > In terms of exploitability, this allows any user with permissions to
> > create tables in a db the ability to read from, write to and delete
> > tables from any other database within the same mysql instance.
> 
> Can you possibly explain this a little closer?  MySQL should not allow
> you to overwrite existing tables via DATA/INDEX DIRECTORY directives.
> So you can only get access to tables created in the future, if you can
> predict their names.  Or have you managed to escalate privileges to
> already existing tables using this flaw?

Sorry, I was taking the temporal part of the attack as read -- yes, the attack
is still based on creating the hostile tables before the victim database does.

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#480292; Package mysql-server-5.0. Full text and rfc822 format available.

Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #42 received at 480292@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: 480292@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: CVE-2008-2079: mysql allows local users to bypass certain privilege checks
Date: Mon, 7 Jul 2008 01:00:15 -0700
[Message part 1 (text/plain, inline)]
tags 480292 +patch
quit

Here's a patch I'm building for an Etch update to address the problem.  It's
pretty close to the same one used in the first fix to this bug, except that it
adds a call to realpath() to resolve all components of the path, and fixes the
argument passing so as not to throw the resolved forms away.


-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
[97_SECURITY_CVE-2008-2079.dpatch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Devin Carraway <devin@debian.org> to control@bugs.debian.org. (Mon, 07 Jul 2008 08:03:04 GMT) Full text and rfc822 format available.

Tags added: pending Request was from Norbert Tretkowski <nobse@alioth.debian.org> to control@bugs.debian.org. (Tue, 15 Jul 2008 17:42:05 GMT) Full text and rfc822 format available.

Reply sent to Norbert Tretkowski <nobse@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #51 received at 480292-close@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <nobse@debian.org>
To: 480292-close@bugs.debian.org
Subject: Bug#480292: fixed in mysql-dfsg-5.0 5.0.51a-10
Date: Thu, 17 Jul 2008 17:17:10 +0000
Source: mysql-dfsg-5.0
Source-Version: 5.0.51a-10

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:

libmysqlclient15-dev_5.0.51a-10_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51a-10_amd64.deb
libmysqlclient15off_5.0.51a-10_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51a-10_amd64.deb
mysql-client-5.0_5.0.51a-10_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51a-10_amd64.deb
mysql-client_5.0.51a-10_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.51a-10_all.deb
mysql-common_5.0.51a-10_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.51a-10_all.deb
mysql-dfsg-5.0_5.0.51a-10.diff.gz
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-10.diff.gz
mysql-dfsg-5.0_5.0.51a-10.dsc
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51a-10.dsc
mysql-server-5.0_5.0.51a-10_amd64.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51a-10_amd64.deb
mysql-server_5.0.51a-10_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.51a-10_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480292@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated mysql-dfsg-5.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Jul 2008 19:37:35 +0200
Source: mysql-dfsg-5.0
Binary: libmysqlclient15off libmysqlclient15-dev mysql-common mysql-client-5.0 mysql-server-5.0 mysql-server mysql-client
Architecture: source all amd64
Version: 5.0.51a-10
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description: 
 libmysqlclient15-dev - MySQL database development files
 libmysqlclient15off - MySQL database client library
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.0 - MySQL database client binaries
 mysql-common - MySQL database common files
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.0 - MySQL database server binaries
Closes: 474893 480292 486443 488740 489266
Changes: 
 mysql-dfsg-5.0 (5.0.51a-10) unstable; urgency=high
 .
   * Merge testing-security upload to finally fix CVE-2008-2079, thanks to
     Devin Carraway and Steffen Joeris. (closes: #480292)
   * New patch 58_disable-ndb-backup-print.dpatch from 5.0.54 to disable
     ndb_backup_print, ndb_alter_table and ndb_replace tests when running the
     testsuite. (closes: #474893)
   * Reenable error handling in testsuite on i386, disabling it was just a
     workaround for the problem which is now fixed with the above patch.
   * Update debconf translations:
     - Vietnamese, from Clytie Siddall. (closes: #486443)
     - Spanish, from Javier Fernández-Sanguino Peña. (closes: #488740)
     - Slovak, from helix84. (closes: #489266)
   * Make lintian happy:
     - Fix build-dependency on -1 revision.
     - Fix deprecated chown usage.
     - Fix spelling error in description.
Checksums-Sha1: 
 afac4abe407dc43c0238cd26462f16bcabe409ed 1709 mysql-dfsg-5.0_5.0.51a-10.dsc
 22f785884266c9be378aac0be1abb19efe8c6c47 305384 mysql-dfsg-5.0_5.0.51a-10.diff.gz
 71e7afb52037cc8c6ebb7d6a2b8addcb8614b15f 59294 mysql-common_5.0.51a-10_all.deb
 8d8912770714e65d9c6fb6549f1607e990c86701 53680 mysql-server_5.0.51a-10_all.deb
 8958eb600c2ca9372a5f297a3b61dc0c89ab8c84 51486 mysql-client_5.0.51a-10_all.deb
 2ab929e22d628ad1d85add50e7db0d366ce74b90 1903946 libmysqlclient15off_5.0.51a-10_amd64.deb
 f1aae87c9e6b3bdb2163785e8190b978861ca6e5 7584062 libmysqlclient15-dev_5.0.51a-10_amd64.deb
 e52131dcebe8814b2dd407d2d904bcca992278c5 8204914 mysql-client-5.0_5.0.51a-10_amd64.deb
 8d438d34916ce8c7f7147dcc9ff85115704ff9a4 27150844 mysql-server-5.0_5.0.51a-10_amd64.deb
Checksums-Sha256: 
 4707c61b34678e431296dbc79bffff0b6ac3d2a04d9051bb1feaba3c221efec9 1709 mysql-dfsg-5.0_5.0.51a-10.dsc
 d44e01e4f84531f4437d959cda35de0a7c3f1b39562d5a7ec1eeffb124d5745c 305384 mysql-dfsg-5.0_5.0.51a-10.diff.gz
 0d2312fc6ef0d2b773a45734ef6c009ce9256fe9f05082e09189d07eb5c51b91 59294 mysql-common_5.0.51a-10_all.deb
 f4f637608a537da73434d94cb8aab7c7068f4f268b631c92d96aec095dd62580 53680 mysql-server_5.0.51a-10_all.deb
 228255917106d3539a899707c8d54297e85b9602ccb49767986936e62cc62dff 51486 mysql-client_5.0.51a-10_all.deb
 658dc8877b1aa097cb04eadc656d00317eb74d2f8a2e1211a661006bbe4d56a3 1903946 libmysqlclient15off_5.0.51a-10_amd64.deb
 e2708bd0177727ca4302413113520d2ff70e21fdc3728a996743a7256709f15c 7584062 libmysqlclient15-dev_5.0.51a-10_amd64.deb
 dd3d6b470d16fed907de1fb04a2ef3df264ffb667252229673d0bfdef1a02e51 8204914 mysql-client-5.0_5.0.51a-10_amd64.deb
 6be960bf6ac5dbd671b50c1bc22aa4b875acc22d313e3eb1d6be38310f690658 27150844 mysql-server-5.0_5.0.51a-10_amd64.deb
Files: 
 ba7003a2f8344585211ce5a4cb24b11c 1709 misc optional mysql-dfsg-5.0_5.0.51a-10.dsc
 1c530566790e695beb2de3d976f78a0f 305384 misc optional mysql-dfsg-5.0_5.0.51a-10.diff.gz
 5f46e88a324ad7ffd1774827340246d0 59294 misc optional mysql-common_5.0.51a-10_all.deb
 b01dceda9d6a455347564c83ef3bb64e 53680 misc optional mysql-server_5.0.51a-10_all.deb
 d677d82125f59e6d4eedd2bd6a4d60c1 51486 misc optional mysql-client_5.0.51a-10_all.deb
 54deedc089b239249371bb21d934e745 1903946 libs optional libmysqlclient15off_5.0.51a-10_amd64.deb
 e2546e3cb0e2d946a0736011bfc634fa 7584062 libdevel optional libmysqlclient15-dev_5.0.51a-10_amd64.deb
 4c6f2d24a2cdf5b690e6faa386121ea5 8204914 misc optional mysql-client-5.0_5.0.51a-10_amd64.deb
 e19d8c873f367c7b51b5c764a87349d7 27150844 misc optional mysql-server-5.0_5.0.51a-10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIf3mXr/RnCw96jQERAkc8AKCv3iiRe1xqaxL5kNxMOHr3cpUJnACeMNjF
0UNZVPjo6f+D/Bs16SQdMqA=
=0zt2
-----END PGP SIGNATURE-----





Tags added: pending Request was from Norbert Tretkowski <nobse@alioth.debian.org> to control@bugs.debian.org. (Thu, 04 Dec 2008 21:12:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Aug 2009 07:36:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:18:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.