Your message dated Wed, 23 Jan 2008 13:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#460873: fixed in mysql-dfsg-5.0 5.0.51-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mysql-dfsg-5.0
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mysql-dfsg-5.0.
CVE-2008-0227[0]:
| yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products,
| allows remote attackers to cause a denial of service (crash) via a
| Hello packet containing a large size value, which triggers a buffer
| over-read in the HASHwithTransform::Update function in hash.cpp.
CVE-2008-0226[0]:
| Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL
| and possibly other products, allow remote attackers to execute
| arbitrary code via (1) the ProcessOldClientHello function in
| handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0227
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp9S7NV6G3eX.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mysql-dfsg-5.0
Source-Version: 5.0.51-3
We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:
libmysqlclient15-dev_5.0.51-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.51-3_amd64.deb
libmysqlclient15off_5.0.51-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.51-3_amd64.deb
mysql-client-5.0_5.0.51-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.51-3_amd64.deb
mysql-client_5.0.51-3_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.51-3_all.deb
mysql-common_5.0.51-3_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.51-3_all.deb
mysql-dfsg-5.0_5.0.51-3.diff.gz
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51-3.diff.gz
mysql-dfsg-5.0_5.0.51-3.dsc
to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.51-3.dsc
mysql-server-5.0_5.0.51-3_amd64.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.51-3_amd64.deb
mysql-server_5.0.51-3_all.deb
to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.51-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-5.0
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 23 Jan 2008 11:37:11 +0100
Source: mysql-dfsg-5.0
Binary: libmysqlclient15off libmysqlclient15-dev mysql-common mysql-client-5.0
mysql-server-5.0 mysql-server mysql-client
Architecture: source all amd64
Version: 5.0.51-3
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers <[EMAIL PROTECTED]>
Changed-By: Norbert Tretkowski <[EMAIL PROTECTED]>
Description:
libmysqlclient15-dev - MySQL database development files
libmysqlclient15off - MySQL database client library
mysql-client - MySQL database client (meta package depending on the latest
versi
mysql-client-5.0 - MySQL database client binaries
mysql-common - MySQL database common files
mysql-server - MySQL database server (meta package depending on the latest
versi
mysql-server-5.0 - MySQL database server binaries
Closes: 458798 460402 460873
Changes:
mysql-dfsg-5.0 (5.0.51-3) unstable; urgency=high
.
* SECURITY:
Fix for CVE-2008-0226 and CVE-2008-0227: Three vulnerabilities in yaSSL
versions 1.7.5 and earlier were discovered that could lead to a server
crash or execution of unauthorized code. The exploit requires a server
with yaSSL enabled and TCP/IP connections enabled, but does not require
valid MySQL account credentials. The exploit does not apply to OpenSSL.
(closes: #460873)
* Fix LSB header in init scripts (patch from Petter Reinholdtsen).
(closes: #458798)
* Run testsuite on all archs, but ignore errors on alpha, arm, armel, hppa,
mipsel and sparc. (closes: #460402)
Files:
0d70f485efaf8d33bc4bbd638b08b271 1299 misc optional mysql-dfsg-5.0_5.0.51-3.dsc
87e6d909b9cab5db68cf970658d080bc 296285 misc optional
mysql-dfsg-5.0_5.0.51-3.diff.gz
b1073455587b80ffae0299fa81e76657 57392 misc optional
mysql-common_5.0.51-3_all.deb
e065bf16db2830f14af630e621ca9f6e 51450 misc optional
mysql-server_5.0.51-3_all.deb
b07e139796b49b2817621817ab9a37dc 49252 misc optional
mysql-client_5.0.51-3_all.deb
d0ed1d9854820b3701ede3ab51b78ff0 1899280 libs optional
libmysqlclient15off_5.0.51-3_amd64.deb
074161a5f9b1a75be5e9b960333bf10c 7561492 libdevel optional
libmysqlclient15-dev_5.0.51-3_amd64.deb
2a372df085d2220f3df65b9dd418f140 8185152 misc optional
mysql-client-5.0_5.0.51-3_amd64.deb
ed72410a15269e1c9508fdb255f89e8c 27861064 misc optional
mysql-server-5.0_5.0.51-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHlzFtr/RnCw96jQERAnD6AKC34A0bUCCNJoFV/JvElNERzYFdvgCfQUJQ
Hxl1TzwCDKOPShtxLZ2+/p4=
=R4Ew
-----END PGP SIGNATURE-----
--- End Message ---
