Your message dated Sun, 27 Aug 2006 16:32:25 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#384798: fixed in mysql-dfsg-5.0 5.0.24-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mysql-server
Severity: important
Tags: security
Two vulnerabilities have been reported in MySQL:
CVE-2006-4226:
MySQL before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when
run on case-sensitive filesystems, allows remote authenticated users
to create or access a database when the database name differs only in
case from a database for which they have permissions.
CVE-2006-4227:
MySQL before 5.0.25 and 5.1 before 5.1.12 evaluates arguments of
suid routines in the security context of the routine's definer instead of the
routine's caller, which allows remote authenticated users to gain privileges
through a routine that has been made available using GRANT EXECUTE.
Please mention the CVE-ids in the changelog.
--- End Message ---
--- Begin Message ---
Source: mysql-dfsg-5.0
Source-Version: 5.0.24-3
We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:
libmysqlclient15-dev_5.0.24-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.24-3_amd64.deb
libmysqlclient15off_5.0.24-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.24-3_amd64.deb
mysql-client-5.0_5.0.24-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.24-3_amd64.deb
mysql-client_5.0.24-3_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.24-3_all.deb
mysql-common_5.0.24-3_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.24-3_all.deb
mysql-dfsg-5.0_5.0.24-3.diff.gz
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.24-3.diff.gz
mysql-dfsg-5.0_5.0.24-3.dsc
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.24-3.dsc
mysql-server-5.0_5.0.24-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.24-3_amd64.deb
mysql-server_5.0.24-3_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.24-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hammers <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-5.0
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 26 Aug 2006 04:55:17 +0200
Source: mysql-dfsg-5.0
Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server
mysql-server-5.0 mysql-common libmysqlclient15off
Architecture: source all amd64
Version: 5.0.24-3
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <[EMAIL PROTECTED]>
Changed-By: Christian Hammers <[EMAIL PROTECTED]>
Description:
libmysqlclient15-dev - mysql database development files
libmysqlclient15off - mysql database client library
mysql-client - mysql database client (current version)
mysql-client-5.0 - mysql database client binaries
mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
mysql-server - mysql database server (current version)
mysql-server-5.0 - mysql database server binaries
Closes: 384798
Changes:
mysql-dfsg-5.0 (5.0.24-3) unstable; urgency=high
.
* SECURITY:
CVE-2006-4226:
When run on case-sensitive filesystems, MySQL allows remote
authenticated users to create or access a database when the database
name differs only in case from a database for which they have
permissions.
CVE-2006-4227:
MySQL evaluates arguments of suid routines in the security context of
the routine's definer instead of the routine's caller, which allows
remote authenticated users to gain privileges through a routine that
has been made available using GRANT EXECUTE.
Thanks to Stefan Fritsch for reporting. Closes: #384798
Files:
c4c96a13ee6db4f88d1c07cfab48f4b8 1090 misc optional mysql-dfsg-5.0_5.0.24-3.dsc
b8fcc9f85a4bb40affa645ab376e7f0c 127028 misc optional
mysql-dfsg-5.0_5.0.24-3.diff.gz
f478daf58acf1397ba1792835cf6db9a 40286 misc optional
mysql-common_5.0.24-3_all.deb
85c7e80dcba641b1d606c65fca985a4e 37750 misc optional
mysql-server_5.0.24-3_all.deb
7bf34abfa600267750555d3129689be4 37748 misc optional
mysql-client_5.0.24-3_all.deb
3327c0b722880b68fc9032fbf22a9b09 1806808 libs optional
libmysqlclient15off_5.0.24-3_amd64.deb
bd9adda8dac157b3b85108e8f6e15d1d 7262418 libdevel optional
libmysqlclient15-dev_5.0.24-3_amd64.deb
a64d997937886b920473c14ab1af5af2 7379072 misc optional
mysql-client-5.0_5.0.24-3_amd64.deb
c2b3b3b488af118eb929c12b0be39c90 22528224 misc optional
mysql-server-5.0_5.0.24-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iEYEARECAAYFAkTyKLQACgkQkR9K5oahGOYktgCgr9DxsNJXBoxOHqoyS/QpXHWo
cTkAnRJofaKhA16J/25y7x9EoN++lCkb
=pSjg
-----END PGP SIGNATURE-----
--- End Message ---
