| Description: | Description:
The remote host is missing an update to mysql-dfsg
announced via advisory USN-96-1.
Stefano Di Paola discovered three privilege escalation flaws in the MySQL
server:
- If an authenticated user had INSERT privileges on the 'mysql' administrative
database, the CREATE FUNCTION command allowed that user to use libc functions
to execute arbitrary code with the privileges of the database server (user
'mysql'). (CVE-2005-0709)
- If an authenticated user had INSERT privileges on the 'mysql' administrative
database, it was possible to load a library located in an arbitrary directory
by using INSERT INTO mysql.func instead of CREATE FUNCTION. This allowed the
user to execute arbitrary code with the privileges of the database server (user
'mysql'). (CVE-2005-0710)
- Temporary files belonging to tables created with CREATE TEMPORARY TABLE were
handled in an insecure way. This allowed any local computer user to overwrite
arbitrary files with the privileges of the database server. (CVE-2005-0711)
Matt Brubeck discovered that the directory /usr/share/mysql/ was owned and
writable by the database server user 'mysql'. This directory contains scripts
which are usually run by root. This allowed a local attacker who already has
mysql privileges to gain full root access by modifying a script and tricking
root into executing it.
The following packages are affected: mysql-server
Solution:
The problem can be corrected by upgrading the affected package to
version 4.0.20-2ubuntu1.4. In general, a standard system upgrade is
sufficient to effect the necessary changes.
http://www.securityspace.com/smysecure/catid.html?in=USN-96-1
Risk factor : Medium
CVSS Score:
4.6
|
