| Description: | Description:
The remote host is missing updates announced in
advisory RHSA-2007:0894.
On the 23rd August 2007, Red Hat Application Stack v1.2 was released. This
release contained a new version of MySQL that corrected several security
issues found in the MySQL packages of Red Hat Application Stack v1.1.
Users who have already updated to Red Hat Application Stack v1.2 will
already have the new MySQL packages and are not affected by these issues.
A flaw was discovered in MySQL's authentication protocol. A remote
unauthenticated attacker could send a specially crafted authentication
request to the MySQL server causing it to crash. (CVE-2007-3780)
MySQL did not require privileges such as SELECT for the source table in a
CREATE TABLE LIKE statement. A remote authenticated user could obtain
sensitive information such as the table structure. (CVE-2007-3781)
A flaw was discovered in MySQL that allowed remote authenticated
users to gain update privileges for a table in another database via a view
that refers to the external table (CVE-2007-3782).
A flaw was discovered in the mysql_change_db function when returning from
SQL SECURITY INVOKER stored routines. A remote authenticated user could
use this flaw to gain database privileges. (CVE-2007-2692)
MySQL did not require the DROP privilege for RENAME TABLE statements. A
remote authenticated users could use this flaw to rename arbitrary tables.
(CVE-2007-2691)
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2007-0894.html
http://www.redhat.com/security/updates/classification/#important
Risk factor : High
CVSS Score:
6.0
|
