OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src openpkg-web Date: 15-Sep-2003 12:59:37 Branch: OPENPKG_1_3_SOLID HEAD Handle: 2003091511593502 Modified files: openpkg-web news.txt Modified files: (Branch: OPENPKG_1_3_SOLID) openpkg-src/mysql mysql.patch mysql.spec Log: SA-2003.038-mysql; CAN-2003-0780 Summary: Revision Changes Path 1.3.2.4.2.1 +18 -0 openpkg-src/mysql/mysql.patch 1.49.2.5.2.4+1 -1 openpkg-src/mysql/mysql.spec 1.6562 +1 -0 openpkg-web/news.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/mysql/mysql.patch ============================================================================ $ cvs diff -u -r1.3.2.4 -r1.3.2.4.2.1 mysql.patch --- openpkg-src/mysql/mysql.patch 24 Jul 2003 20:44:33 -0000 1.3.2.4 +++ openpkg-src/mysql/mysql.patch 15 Sep 2003 10:59:37 -0000 1.3.2.4.2.1 @@ -63,3 +63,21 @@ #endif #ifdef DATADIR DATADIR, + +http://marc.theaimsgroup.com/?l=bugtraq&m=106323221912927&w=4 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0780 + Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL + 4.0.14 and earlier, and 3.23.x, allows attackers to execute + arbitrary code via a long Password field + +--- sql/sql_acl.cc.orig Fri Jul 18 16:57:47 2003 ++++ sql/sql_acl.cc Mon Sep 15 11:58:13 2003 +@@ -233,7 +233,7 @@ + "Found old style password for user '%s'. Ignoring user. (You may want to restart mysqld using --old-protocol)", + user.user ? user.user : ""); /* purecov: tested */ + } +- else if (length % 8) // This holds true for passwords ++ else if (length % 8 || length > 16) // This holds true for passwords + { + sql_print_error( + "Found invalid password for user: '[EMAIL PROTECTED]'; Ignoring user", @@ . patch -p0 <<'@@ .' Index: openpkg-src/mysql/mysql.spec ============================================================================ $ cvs diff -u -r1.49.2.5.2.3 -r1.49.2.5.2.4 mysql.spec --- openpkg-src/mysql/mysql.spec 5 Aug 2003 13:43:16 -0000 1.49.2.5.2.3 +++ openpkg-src/mysql/mysql.spec 15 Sep 2003 10:59:37 -0000 1.49.2.5.2.4 @@ -39,7 +39,7 @@ Group: Database License: GPL Version: %{V_opkg} -Release: 1.3.1 +Release: 1.3.2 # package options %option with_berkeleydb yes @@ . patch -p0 <<'@@ .' Index: openpkg-web/news.txt ============================================================================ $ cvs diff -u -r1.6561 -r1.6562 news.txt --- openpkg-web/news.txt 15 Sep 2003 10:55:54 -0000 1.6561 +++ openpkg-web/news.txt 15 Sep 2003 10:59:35 -0000 1.6562 @@ -1,3 +1,4 @@ +15-Sep-2003: Upgraded package: P<mysql-4.0.14-1.3.2> 15-Sep-2003: New package: P<jam-2.5-20030915> 15-Sep-2003: Upgraded package: P<qt-3.2.1-20030915> 15-Sep-2003: Upgraded package: P<apt-0.5.5cnc6-20030915> @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]