Bug#599937: [debian-mysql] Bug#599937: mysql-5.1: 5.1.51 fixes several vulnerabilities
Hi Moritz, Am Samstag, den 20.11.2010, 10:28 +0100 schrieb Moritz Muehlenhoff: On Sun, Nov 07, 2010 at 11:54:14AM +0100, Norbert Tretkowski wrote: Am Freitag, den 29.10.2010, 21:57 +0200 schrieb Moritz Muehlenhoff: Patch against 5.1.49 attached. thanks, I was on vacation last week, but I'm going to upload 5.1.49-3 including your patch in the course of next week. What's the status? it's in our SVN repo already, I'll try to find time for an upload next weekend. Sorry for the delay! Regards, Norbert -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#599937: [debian-mysql] Bug#599937: mysql-5.1: 5.1.51 fixes several vulnerabilities
On Sun, Nov 07, 2010 at 11:54:14AM +0100, Norbert Tretkowski wrote: Hi Moritz, Am Freitag, den 29.10.2010, 21:57 +0200 schrieb Moritz Muehlenhoff: Patch against 5.1.49 attached. thanks, I was on vacation last week, but I'm going to upload 5.1.49-3 including your patch in the course of next week. Norbert What's the status? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#599937: [debian-mysql] Bug#599937: mysql-5.1: 5.1.51 fixes several vulnerabilities
Hi Moritz, Am Freitag, den 29.10.2010, 21:57 +0200 schrieb Moritz Muehlenhoff: Patch against 5.1.49 attached. thanks, I was on vacation last week, but I'm going to upload 5.1.49-3 including your patch in the course of next week. Norbert -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#599937: mysql-5.1: 5.1.51 fixes several vulnerabilities
tags 599937 patch thanks On Tue, Oct 12, 2010 at 05:56:38PM +0200, Moritz Muehlenhoff wrote: Package: mysql-5.1 Severity: grave Tags: security Justification: user security hole 5.1.51 fixes eight security issues. It has already been uploaded to experimental, so depending on the amount and quality of changes it needs to be checked whether this version shold be uploaded to Squeeze or fixes need to be cherry-picked: Patch against 5.1.49 attached. Cheers, Moritz diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/func_gconcat.result mysql-5.1-5.1.49/mysql-test/r/func_gconcat.result --- mysql-5.1-5.1.49.orig//mysql-test/r/func_gconcat.result 2010-07-09 15:02:55.0 +0200 +++ mysql-5.1-5.1.49/mysql-test/r/func_gconcat.result 2010-10-29 21:52:45.0 +0200 @@ -995,6 +995,7 @@ 1 1 DROP TABLE t1; +End of 5.0 tests # # Bug #52397: another crash with explain extended and group_concat # @@ -1010,4 +1011,22 @@ Warnings: Note 1003 select 1 AS `1` from (select group_concat(`test`.`t1`.`a` order by `test`.`t1`.`a` ASC separator ',') AS `GROUP_CONCAT(t1.a ORDER BY t1.a ASC)` from `test`.`t1` `t2` join `test`.`t1` group by `test`.`t1`.`a`) `d` DROP TABLE t1; -End of 5.0 tests +# +# Bug #54476: crash when group_concat and 'with rollup' in prepared statements +# +CREATE TABLE t1 (a INT); +INSERT INTO t1 VALUES (1), (2); +PREPARE stmt FROM SELECT GROUP_CONCAT(t1.a ORDER BY t1.a) FROM t1 JOIN t1 t2 GROUP BY t1.a WITH ROLLUP; +EXECUTE stmt; +GROUP_CONCAT(t1.a ORDER BY t1.a) +1,1 +2,2 +1,1,2,2 +EXECUTE stmt; +GROUP_CONCAT(t1.a ORDER BY t1.a) +1,1 +2,2 +1,1,2,2 +DEALLOCATE PREPARE stmt; +DROP TABLE t1; +End of 5.1 tests diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/func_misc.result mysql-5.1-5.1.49/mysql-test/r/func_misc.result --- mysql-5.1-5.1.49.orig//mysql-test/r/func_misc.result 2010-07-09 15:02:55.0 +0200 +++ mysql-5.1-5.1.49/mysql-test/r/func_misc.result 2010-10-29 21:52:47.0 +0200 @@ -336,4 +336,19 @@ select connection_id() 0; connection_id() 0 1 +# +# Bug #54461: crash with longblob and union or update with subquery +# +CREATE TABLE t1 (a INT, b LONGBLOB); +INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2'); +SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +LEAST(a, (SELECT b FROM t1 LIMIT 1)) +1 +2 +SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +GREATEST(a, (SELECT b FROM t1 LIMIT 1)) +2 +3 +1 +DROP TABLE t1; End of tests diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/join.result mysql-5.1-5.1.49/mysql-test/r/join.result --- mysql-5.1-5.1.49.orig//mysql-test/r/join.result 2010-07-09 15:03:00.0 +0200 +++ mysql-5.1-5.1.49/mysql-test/r/join.result 2010-10-29 21:52:39.0 +0200 @@ -1184,4 +1184,55 @@ NULL 1 DROP TABLE t1, t2, mm1; +# +# Bug #55568: user variable assignments crash server when used within +# query +# +CREATE TABLE t1 (a INT); +INSERT INTO t1 VALUES (0), (1); +SELECT MULTIPOINT( +1, +( +SELECT MULTIPOINT( +MULTIPOINT( +1, +(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +) +) FROM t1 +) +) != COUNT(*) q FROM t1 GROUP BY a; +q +NULL +NULL +SELECT MULTIPOINT( +1, +( +SELECT MULTIPOINT( +MULTIPOINT( +1, +(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +) +) FROM t1 +) +) != COUNT(*) q FROM t1 GROUP BY a; +q +NULL +NULL +DROP TABLE t1; +# +# Bug #54468: crash after item's print() function when ordering/grouping +# by subquery +# +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (), (); +SELECT 1 FROM t1 +GROUP BY +GREATEST(t1.a, +(SELECT 1 FROM +(SELECT t1.b FROM t1,t1 t2 +ORDER BY t1.a, t1.a LIMIT 1) AS d) +); +1 +1 +DROP TABLE t1; End of 5.1 tests diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/user_var.result mysql-5.1-5.1.49/mysql-test/r/user_var.result --- mysql-5.1-5.1.49.orig//mysql-test/r/user_var.result 2010-07-09 15:03:13.0 +0200 +++ mysql-5.1-5.1.49/mysql-test/r/user_var.result 2010-10-29 21:52:42.0 +0200 @@ -430,4 +430,21 @@ INSERT INTO t1 VALUES (1); INSERT INTO t1 VALUES (1); DROP TABLE t1; +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +# BUG#55615 : should not crash +SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a; +(@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) +1 +1 +# BUG#55564 : should not crash +SELECT IF( +...@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +FROM t1 GROUP BY a LIMIT 1; +IF( +...@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +1 +DROP TABLE t1; End of 5.1 tests diff -Naur mysql-5.1-5.1.49.orig//mysql-test/suite/innodb/r/innodb_mysql.result mysql-5.1-5.1.49/mysql-test/suite/innodb/r/innodb_mysql.result --- mysql-5.1-5.1.49.orig//mysql-test/suite/innodb/r/innodb_mysql.result 2010-07-09 15:05:40.0 +0200 +++ mysql-5.1-5.1.49/mysql-test/suite/innodb/r/innodb_mysql.result 2010-10-29 21:52:36.0 +0200 @@ -2499,4 +2499,17 @@ id select_type table
Bug#599937: mysql-5.1: 5.1.51 fixes several vulnerabilities
Quoting Moritz Muehlenhoff (muehlenh...@univention.de): Package: mysql-5.1 Severity: grave Tags: security Justification: user security hole 5.1.51 fixes eight security issues. It has already been uploaded to experimental, so depending on the amount and quality of changes it needs to be checked whether this version shold be uploaded to Squeeze or fixes need to be cherry-picked: If someone does this, I would appreciate seeing #592171, #592813, #598339, #599483 fixed as well by the same upload. All are abou tdropping a PO file in debian/po and writing a changelog entry. Patch attached. diff -Nru mysql-5.1-5.1.49.old/debian/changelog mysql-5.1-5.1.49/debian/changelog --- mysql-5.1-5.1.49.old/debian/changelog 2010-10-09 09:30:03.531634110 +0200 +++ mysql-5.1-5.1.49/debian/changelog 2010-10-13 06:47:21.328788403 +0200 @@ -1,3 +1,14 @@ +mysql-5.1 (5.1.49-1.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Fix pending l10n issues. Debconf translations: +- Spanish (Javier Fernández-Sanguino). Closes: #592171 +- Galician (Jorge Barreiro). Closes: #592813 +- Czech (Miroslav Kure). Closes: #598339 +- Danish (Joe Hansen). Closes: #599483 + + -- Christian Perrier bubu...@debian.org Sat, 09 Oct 2010 09:30:23 +0200 + mysql-5.1 (5.1.49-1) unstable; urgency=low * New upstream release. diff -Nru mysql-5.1-5.1.49.old/debian/po/cs.po mysql-5.1-5.1.49/debian/po/cs.po --- mysql-5.1-5.1.49.old/debian/po/cs.po 2010-10-09 09:30:03.503630060 +0200 +++ mysql-5.1-5.1.49/debian/po/cs.po 2010-10-09 09:31:17.439654698 +0200 @@ -16,7 +16,7 @@ Project-Id-Version: mysql-dfsg-5.1\n Report-Msgid-Bugs-To: mysql-...@packages.debian.org\n POT-Creation-Date: 2010-07-31 12:35+0200\n -PO-Revision-Date: 2007-05-01 13:01+0200\n +PO-Revision-Date: 2010-09-28 13:02+0200\n Last-Translator: Miroslav Kure ku...@debian.cz\n Language-Team: Czech debian-l10n-cz...@lists.debian.org\n Language: cs\n @@ -39,14 +39,11 @@ #. Type: boolean #. Description #: ../mysql-server-5.1.templates:2001 -#, fuzzy -#| msgid -#| Such file is an indication that a mysql-server package with a higher -#| version has been installed earlier. msgid Such a file is an indication that a mysql-server package with a higher version has been installed previously. -msgstr To znamená, že již byl nainstalován balÃk mysql-server s vyÅ¡Å¡Ã verzÃ. +msgstr +To znamená, že zde byl dÅÃve nainstalován balÃk mysql-server s vyÅ¡Å¡Ã verzÃ. #. Type: boolean #. Description @@ -71,19 +68,18 @@ Using MySQL under NIS/YP requires a mysql user account to be added on the local system with: msgstr +Použità MySQL pod NIS/YP vyžaduje, abyste na lokálnÃm systému pÅidali úÄet +pro uživatele mysql pÅÃkazem: #. Type: note #. Description #: ../mysql-server-5.1.templates:3001 -#, fuzzy -#| msgid -#| You should also check the permissions and the owner of the /var/lib/mysql -#| directory: msgid You should also check the permissions and ownership of the /var/lib/mysql directory: msgstr -Také byste mÄli zkontrolovat vlastnÃka a oprávnÄnà adresáÅe /var/lib/mysql: +Také byste mÄli zkontrolovat vlastnictvà a oprávnÄnà k adresáÅi /var/lib/ +mysql: #. Type: boolean #. Description @@ -125,14 +121,14 @@ The MySQL server can be launched automatically at boot time or manually with the '/etc/init.d/mysql start' command. msgstr -MySQL se může spouÅ¡tÄt automaticky pÅi startu systému, nebo ruÄnÄ pÅÃkazem '/ -etc/init.d/mysql start'. +MySQL se může spouÅ¡tÄt automaticky pÅi startu systému, nebo ruÄnÄ pÅÃkazem â/ +etc/init.d/mysql startâ. #. Type: password #. Description #: ../mysql-server-5.1.templates:6001 msgid New password for the MySQL \root\ user: -msgstr Nové heslo MySQL uživatele \root\: +msgstr Nové heslo MySQL uživatele ârootâ: #. Type: password #. Description @@ -142,29 +138,25 @@ the MySQL administrative \root\ user. msgstr PÅestože to nenà nezbytné, je silnÄ doporuÄeno nastavit heslo u -správcovského MySQL úÄtu \root\. +správcovského MySQL úÄtu ârootâ. #. Type: password #. Description #: ../mysql-server-5.1.templates:6001 -#, fuzzy -#| msgid If that field is left blank, the password will not be changed. msgid If this field is left blank, the password will not be changed. msgstr Ponecháte-li pole prázdné, heslo se nezmÄnÃ. #. Type: password #. Description #: ../mysql-server-5.1.templates:7001 -#, fuzzy -#| msgid New password for the MySQL \root\ user: msgid Repeat password for the MySQL \root\ user: -msgstr Nové heslo MySQL uživatele \root\: +msgstr Zopakujte heslo MySQL uživatele ârootâ: #. Type: error #. Description #: ../mysql-server-5.1.templates:8001 msgid Unable to set password for the MySQL \root\ user -msgstr Nelze nastavit heslo MySQL uživatele \root\ +msgstr Nelze nastavit heslo MySQL uživatele ârootâ #. Type: error #. Description @@ -181,19 +173,12 @@ #. Type: error
Bug#599937: mysql-5.1: 5.1.51 fixes several vulnerabilities
Package: mysql-5.1 Severity: grave Tags: security Justification: user security hole 5.1.51 fixes eight security issues. It has already been uploaded to experimental, so depending on the amount and quality of changes it needs to be checked whether this version shold be uploaded to Squeeze or fixes need to be cherry-picked: The following CVE assignments have been made: Bug#55826 - incorrect propagation of type errors in evaluation of arguments to extreme-value functions CVE-2010-3833 create table .. select crashes with when KILL_BAD_DATA is returned 5.0.91,5.1.49,5.1.50-bzr,5.5.5 Bug#55568 - The server could crash after materializing a derived table that required a temporary table for grouping. CVE-2010-3834 user variable assignments crash server when used within query 5.0.91-debug,5.1.49-debug Bug #55564 - A user-variable assignment expression that is evaluated in a logical expression context can be precalculated in a temporary table for GROUP BY. However, when the expression value is used after creation of the temporary table, it was re-evaluated, not read from the table and a server crash resulted. CVE-2010-3835 crash with user variables, assignments, joins... 5.0.92, 5.1.37, 5.1.49, 5.1.50-bzr, 5.5.6-m3 Bug#54568 - Pre-evaluation of LIKE predicates during view preparation could cause a server crash. CVE-2010-3836 create view cause Assertion failed: 0, file .\item_subselect.cc, line 836 5.0.91-debug, 5.1.47-debug Bug#54476 - GROUP_CONCAT() and WITH ROLLUP together could cause a server crash. CVE-2010-3837 crash when group_concat and 'with rollup' in prepared statements 5.0.91, 5.1.47, 5.1.49-bzr, 5.5.3 see: [23 Jul 14:25] Alexey Kopytov Bug#54461 - Queries could cause a server crash if the GREATEST() or LEAST() function had a mixed list of numeric and LONGBLOB arguments, and the result of such a function was processed using an intermediate temporary table. CVE-2010-3838 crash with longblob and union or update with subquery 5.0.91,5.1.47, 5.5.3, 5.5.5-m3 Bug#53544 - Queries with nested joins could cause an infinite loop in the server when used from stored procedures and prepared statements. CVE-2010-3839 Server hangs during JOIN query in stored procedure called twice in a row 5.1.47, 5.6.99-m4 Dahlia, bzr_mysql-6.0-codebase-bugfixing Bug#51875 - The PolyFromWKB() function could crash the server when improper WKB data was passed to the function. CVE-2010-3840 crash when loading data into geometry function polyfromwkb 5.0.90,5.1.44 -- System Information: Shell: /bin/sh linked to /bin/bash Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org