______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: MySQL Advisory ID: MDKSA-2003:057 Date: May 14th, 2003 Affected versions: 8.2, 9.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: In MySQL 3.23.55 and earlier, MySQL would create world-writeable files and allow mysql users to gain root privileges by using the "SELECT * INTO OUTFILE" operator to overwrite a configuration file, which could cause mysql to run as root upon restarting the daemon. This has been fixed upstream in version 3.23.56, which is provided for Mandrake Linux 9.0 and Corporate Server 2.1 users. The other updated packages have been patched to correct this issue. ______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0150 http://www.mysql.com/doc/en/News-3.23.56.html ______________________________________________________________________ Updated Packages: Corporate Server 2.1: 771da57ceb06e83004574943d5b0ac90 corporate/2.1/RPMS/libmysql10-3.23.56-1.3mdk.i586.rpm 9cb6003252c9739437ac718f8ce30bd3 corporate/2.1/RPMS/libmysql10-devel-3.23.56-1.3mdk.i586.rpm 23ca6464b816cef97219b6502f724ba1 corporate/2.1/RPMS/MySQL-3.23.56-1.3mdk.i586.rpm 875361e8f58f0a4115d97218c5d2994b corporate/2.1/RPMS/MySQL-Max-3.23.56-1.3mdk.i586.rpm 6c232f27da3a9ef54aaedf27adf24194 corporate/2.1/RPMS/MySQL-bench-3.23.56-1.3mdk.i586.rpm 35f369564c22d2ea616be53ed3cfc443 corporate/2.1/RPMS/MySQL-client-3.23.56-1.3mdk.i586.rpm ec9f60b48602b37ab0d0f169e6f76d7d corporate/2.1/SRPMS/MySQL-3.23.56-1.3mdk.src.rpm Mandrake Linux 8.2: f5e6fe580b843dc2b9b88dc718a7e023 8.2/RPMS/libmysql10-3.23.47-5.4mdk.i586.rpm de9d9746e1d11e9ac0f33d8dccc9efb5 8.2/RPMS/libmysql10-devel-3.23.47-5.4mdk.i586.rpm 8b6a93228a219c0c8c1ee3bf10f8db75 8.2/RPMS/MySQL-3.23.47-5.4mdk.i586.rpm 78661bad82cdfd289b15b5a04ad5a7dc 8.2/RPMS/MySQL-bench-3.23.47-5.4mdk.i586.rpm e0dff82e38a007e76dd47e3f36af6cf8 8.2/RPMS/MySQL-client-3.23.47-5.4mdk.i586.rpm cb9877acc377e474a747b92b248ad15f 8.2/SRPMS/MySQL-3.23.47-5.4mdk.src.rpm Mandrake Linux 8.2/PPC: 687e59d3fd1b6537089f5170fcb6b774 ppc/8.2/RPMS/libmysql10-3.23.47-5.4mdk.ppc.rpm 42ecf94aeef17701612f9ca983532f49 ppc/8.2/RPMS/libmysql10-devel-3.23.47-5.4mdk.ppc.rpm 2166b3a117fd64530fe9c4824863c794 ppc/8.2/RPMS/MySQL-3.23.47-5.4mdk.ppc.rpm a63145890735d6d6fe2f5deb89dcaea3 ppc/8.2/RPMS/MySQL-bench-3.23.47-5.4mdk.ppc.rpm bef9db8d6b2c601c198108b1691d18ad ppc/8.2/RPMS/MySQL-client-3.23.47-5.4mdk.ppc.rpm cb9877acc377e474a747b92b248ad15f ppc/8.2/SRPMS/MySQL-3.23.47-5.4mdk.src.rpm Mandrake Linux 9.0: 771da57ceb06e83004574943d5b0ac90 9.0/RPMS/libmysql10-3.23.56-1.3mdk.i586.rpm 9cb6003252c9739437ac718f8ce30bd3 9.0/RPMS/libmysql10-devel-3.23.56-1.3mdk.i586.rpm 23ca6464b816cef97219b6502f724ba1 9.0/RPMS/MySQL-3.23.56-1.3mdk.i586.rpm 875361e8f58f0a4115d97218c5d2994b 9.0/RPMS/MySQL-Max-3.23.56-1.3mdk.i586.rpm 6c232f27da3a9ef54aaedf27adf24194 9.0/RPMS/MySQL-bench-3.23.56-1.3mdk.i586.rpm 35f369564c22d2ea616be53ed3cfc443 9.0/RPMS/MySQL-client-3.23.56-1.3mdk.i586.rpm ec9f60b48602b37ab0d0f169e6f76d7d 9.0/SRPMS/MySQL-3.23.56-1.3mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig <filename> All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com> ______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: xinetd Advisory ID: MDKSA-2003:056 Date: May 14th, 2003 Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1, Multi Network Firewall 8.2, Single Network Firewall 7.2 ______________________________________________________________________ Problem Description: A vulnerability was discovered in xinetd where memory was allocated and never freed if a connection was refused for any reason. Because of this bug, an attacker could crash the xinetd server, making unavailable all of the services it controls. Other flaws were also discovered that could cause incorrect operation in certain strange configurations. These issues have been fixed upstream in xinetd version 2.3.11 which are provided in this update. ______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0211 ______________________________________________________________________ Updated Packages: Corporate Server 2.1: a9121e4a9d10ceae2432619f2b1cb39d corporate/2.1/RPMS/xinetd-2.3.11-1.1mdk.i586.rpm 92bd935f2578bb67f90d9e748a1bb636 corporate/2.1/RPMS/xinetd-ipv6-2.3.11-1.1mdk.i586.rpm 48c1a13b666f519b893f9d36c2d440c4 corporate/2.1/SRPMS/xinetd-2.3.11-1.1mdk.src.rpm Mandrake Linux 8.2: b4eff824d68251d41e4bac24cf215a74 8.2/RPMS/xinetd-2.3.11-1.1mdk.i586.rpm 994553078c5caf6853422ad51a08405c 8.2/RPMS/xinetd-ipv6-2.3.11-1.1mdk.i586.rpm 48c1a13b666f519b893f9d36c2d440c4 8.2/SRPMS/xinetd-2.3.11-1.1mdk.src.rpm Mandrake Linux 8.2/PPC: 7dab7aa553e059299a24ebaab552fd01 ppc/8.2/RPMS/xinetd-2.3.11-1.1mdk.ppc.rpm ffa308c43027a43b3b050c68841b12e9 ppc/8.2/RPMS/xinetd-ipv6-2.3.11-1.1mdk.ppc.rpm 48c1a13b666f519b893f9d36c2d440c4 ppc/8.2/SRPMS/xinetd-2.3.11-1.1mdk.src.rpm Mandrake Linux 9.0: a9121e4a9d10ceae2432619f2b1cb39d 9.0/RPMS/xinetd-2.3.11-1.1mdk.i586.rpm 92bd935f2578bb67f90d9e748a1bb636 9.0/RPMS/xinetd-ipv6-2.3.11-1.1mdk.i586.rpm 48c1a13b666f519b893f9d36c2d440c4 9.0/SRPMS/xinetd-2.3.11-1.1mdk.src.rpm Mandrake Linux 9.1: b7ad521d0068d894d3e4255ee628ade8 9.1/RPMS/xinetd-2.3.11-1.1mdk.i586.rpm 2c12b8ae701f10c165244f4ed9e71717 9.1/RPMS/xinetd-ipv6-2.3.11-1.1mdk.i586.rpm 48c1a13b666f519b893f9d36c2d440c4 9.1/SRPMS/xinetd-2.3.11-1.1mdk.src.rpm Mandrake Linux 9.1/PPC: 273514196962d9ed8065475d865e36ac ppc/9.1/RPMS/xinetd-2.3.11-1.1mdk.ppc.rpm 82ab5d4c702b234f47f31a64d6874e56 ppc/9.1/RPMS/xinetd-ipv6-2.3.11-1.1mdk.ppc.rpm 48c1a13b666f519b893f9d36c2d440c4 ppc/9.1/SRPMS/xinetd-2.3.11-1.1mdk.src.rpm Multi Network Firewall 8.2: b4eff824d68251d41e4bac24cf215a74 mnf8.2/RPMS/xinetd-2.3.11-1.1mdk.i586.rpm 994553078c5caf6853422ad51a08405c mnf8.2/RPMS/xinetd-ipv6-2.3.11-1.1mdk.i586.rpm 48c1a13b666f519b893f9d36c2d440c4 mnf8.2/SRPMS/xinetd-2.3.11-1.1mdk.src.rpm Single Network Firewall 7.2: 7128cefb35c9a7e2ba62f2c2b91f0302 snf7.2/RPMS/xinetd-2.3.11-1.2mdk.i586.rpm d9dbed2c5d7ef2e993593c204ee3d4cd snf7.2/RPMS/xinetd-ipv6-2.3.11-1.2mdk.i586.rpm cad5c246f04dae6ff97bdfb4018d1f6e snf7.2/SRPMS/xinetd-2.3.11-1.2mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig <filename> All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>
Mandrake Linux Security Advisories: MySQL, xinetd
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis