English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 75803 CVE descriptions
and 40037 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.60679
Category:Ubuntu Local Security Checks
Title:Ubuntu USN-588-2 (mysql-dfsg-5.0)
Summary:Ubuntu USN-588-2 (mysql-dfsg-5.0)
Description:
The remote host is missing an update to mysql-dfsg-5.0
announced via advisory USN-588-2.

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

Details follow:

USN-588-1 fixed vulnerabilities in MySQL. In fixing CVE-2007-2692 for
Ubuntu 6.06, additional improvements were made to make privilege checks
more restictive. As a result, an upstream bug was exposed which could
cause operations on tables or views in a different database to fail. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Masaaki Hirose discovered that MySQL could be made to dereference
a NULL pointer. An authenticated user could cause a denial of service
(application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA
table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232)

Alexander Nozdrin discovered that MySQL did not restore database access
privileges when returning from SQL SECURITY INVOKER stored routines. An
authenticated user could exploit this to gain privileges. This issue
does not affect Ubuntu 7.10. (CVE-2007-2692)

Martin Friebe discovered that MySQL did not properly update the DEFINER
value of an altered view. An authenticated user could use CREATE SQL
SECURITY DEFINER VIEW and ALTER VIEW statements to gain privileges.
(CVE-2007-6303)

Luigi Auriemma discovered that yaSSL as included in MySQL did not
properly validate its input. A remote attacker could send crafted
requests and cause a denial of service or possibly execute arbitrary
code. This issue did not affect Ubuntu 6.06 in the default installation.
(CVE-2008-0226, CVE-2008-0227)

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
mysql-server-5.0 5.0.22-0ubuntu6.06.9

In general, a standard system upgrade is sufficient to effect the
necessary changes.

http://www.securityspace.com/smysecure/catid.html?in=USN-588-2

Risk factor : High
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2007-2692
Bugtraq: 20070717 rPSA-2007-0143-1 mysql mysql-bench mysql-server (Google Search)
http://www.securityfocus.com/archive/1/archive/1/473874/100/0/threaded
http://lists.mysql.com/announce/470
http://bugs.mysql.com/bug.php?id=27337
Debian Security Information: DSA-1413 (Google Search)
http://www.debian.org/security/2007/dsa-1413
http://www.mandriva.com/security/advisories?name=MDVSA-2008:028
http://www.redhat.com/support/errata/RHSA-2007-0894.html
http://www.redhat.com/support/errata/RHSA-2008-0364.html
SuSE Security Announcement: SUSE-SR:2008:003 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.html
http://www.ubuntu.com/usn/usn-588-1
BugTraq ID: 24011
http://www.securityfocus.com/bid/24011
http://osvdb.org/34765
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9166
http://secunia.com/advisories/30351
http://www.vupen.com/english/advisories/2007/1804
http://www.securitytracker.com/id?1018070
http://secunia.com/advisories/25301
http://secunia.com/advisories/26073
http://secunia.com/advisories/26430
http://secunia.com/advisories/27823
http://secunia.com/advisories/28637
http://secunia.com/advisories/28838
http://secunia.com/advisories/29443
XForce ISS Database: mysql-changedb-privilege-escalation(34348)
http://xforce.iss.net/xforce/xfdb/34348
Common Vulnerability Exposure (CVE) ID: CVE-2006-7232
SuSE Security Announcement: SUSE-SR:2008:017 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
BugTraq ID: 28351
http://www.securityfocus.com/bid/28351
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11720
http://secunia.com/advisories/31687
Common Vulnerability Exposure (CVE) ID: CVE-2007-6303
Bugtraq: 20080205 rPSA-2008-0040-1 mysql mysql-bench mysql-server (Google Search)
http://www.securityfocus.com/archive/1/archive/1/487606/100/0/threaded
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00467.html
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00475.html
http://security.gentoo.org/glsa/glsa-200804-04.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:017
http://www.redhat.com/support/errata/RHSA-2007-1157.html
BugTraq ID: 26832
http://www.securityfocus.com/bid/26832
http://www.vupen.com/english/advisories/2007/4198
http://securitytracker.com/id?1019085
http://secunia.com/advisories/28063
http://secunia.com/advisories/28025
http://secunia.com/advisories/28739
http://secunia.com/advisories/29706
XForce ISS Database: mysql-definer-value-privilege-escalation(38989)
http://xforce.iss.net/xforce/xfdb/38989
Common Vulnerability Exposure (CVE) ID: CVE-2008-0226
Bugtraq: 20080104 Multiple vulnerabilities in yaSSL 1.7.5 (Google Search)
http://www.securityfocus.com/archive/1/archive/1/485810/100/0/threaded
Bugtraq: 20080104 Pre-auth buffer-overflow in mySQL through yaSSL (Google Search)
http://www.securityfocus.com/archive/1/archive/1/485811/100/0/threaded
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
Debian Security Information: DSA-1478 (Google Search)
http://www.debian.org/security/2008/dsa-1478
http://www.mandriva.com/security/advisories?name=MDVSA-2008:150
BugTraq ID: 27140
http://www.securityfocus.com/bid/27140
BugTraq ID: 31681
http://www.securityfocus.com/bid/31681
http://www.vupen.com/english/advisories/2008/0560/references
http://www.vupen.com/english/advisories/2008/2780
http://secunia.com/advisories/28324
http://secunia.com/advisories/28419
http://secunia.com/advisories/28597
http://secunia.com/advisories/32222
http://securityreason.com/securityalert/3531
XForce ISS Database: yassl-inputbufferoperator-bo(39431)
http://xforce.iss.net/xforce/xfdb/39431
XForce ISS Database: yassl-processoldclienthello-bo(39429)
http://xforce.iss.net/xforce/xfdb/39429
Common Vulnerability Exposure (CVE) ID: CVE-2008-0227
XForce ISS Database: yassl-hashwithtransformupdate-dos(39433)
http://xforce.iss.net/xforce/xfdb/39433
CopyrightCopyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 40037 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.