English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 75803 CVE descriptions
and 40037 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.66828
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2010:0109
Summary:Redhat Security Advisory RHSA-2010:0109
Description:The remote host is missing updates announced in
advisory RHSA-2010:0109.

MySQL is a multi-user, multi-threaded SQL database server. It consists of
the MySQL server daemon (mysqld) and many client programs and libraries.

It was discovered that the MySQL client ignored certain SSL certificate
verification errors when connecting to servers. A man-in-the-middle
attacker could use this flaw to trick MySQL clients into connecting to a
spoofed MySQL server. (CVE-2009-4028)

Note: This fix may uncover previously hidden SSL configuration issues, such
as incorrect CA certificates being used by clients or expired server
certificates. This update should be carefully tested in deployments where
SSL connections are used.

A flaw was found in the way MySQL handled SELECT statements with subqueries
in the WHERE clause, that assigned results to a user variable. A remote,
authenticated attacker could use this flaw to crash the MySQL server daemon
(mysqld). This issue only caused a temporary denial of service, as the
MySQL daemon was automatically restarted after the crash. (CVE-2009-4019)

When the datadir option was configured with a relative path, MySQL did
not properly check paths used as arguments for the DATA DIRECTORY and INDEX
DIRECTORY directives. An authenticated attacker could use this flaw to
bypass the restriction preventing the use of subdirectories of the MySQL
data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths.
(CVE-2009-4030)

Note: Due to the security risks and previous security issues related to the
use of the DATA DIRECTORY and INDEX DIRECTORY directives, users not
depending on this feature should consider disabling it by adding
symbolic-links=0 to the [mysqld] section of the my.cnf configuration
file. In this update, an example of such a configuration was added to the
default my.cnf file.

All MySQL users are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues. After installing this
update, the MySQL server daemon (mysqld) will be restarted automatically.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2010-0109.html
http://www.redhat.com/security/updates/classification/#moderate
http://dev.mysql.com/doc/refman/5.0/en/symbolic-links-to-tables.html

Risk factor : High
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-4019
http://marc.info/?l=oss-security&m=125881733826437&w=2
http://marc.info/?l=oss-security&m=125883754215621&w=2
http://marc.info/?l=oss-security&m=125901161824278&w=2
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Debian Security Information: DSA-1997 (Google Search)
http://www.debian.org/security/2010/dsa-1997
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00764.html
http://www.redhat.com/support/errata/RHSA-2010-0109.html
SuSE Security Announcement: SUSE-SR:2010:011 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://ubuntu.com/usn/usn-897-1
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11349
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8500
http://secunia.com/advisories/37717
http://secunia.com/advisories/38573
http://secunia.com/advisories/38517
http://www.vupen.com/english/advisories/2010/1107
Common Vulnerability Exposure (CVE) ID: CVE-2009-4028
http://lists.mysql.com/commits/87446
http://www.openwall.com/lists/oss-security/2009/11/19/3
http://www.openwall.com/lists/oss-security/2009/11/23/16
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10940
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8510
Common Vulnerability Exposure (CVE) ID: CVE-2009-4030
http://lists.mysql.com/commits/89940
http://marc.info/?l=oss-security&m=125908040022018&w=2
http://www.openwall.com/lists/oss-security/2009/11/24/6
http://marc.info/?l=oss-security&m=125908080222685&w=2
http://www.redhat.com/support/errata/RHSA-2010-0110.html
SuSE Security Announcement: SUSE-SR:2010:021 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11116
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8156
Common Vulnerability Exposure (CVE) ID: CVE-2008-2079
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
Debian Security Information: DSA-1608 (Google Search)
http://www.debian.org/security/2008/dsa-1608
http://www.mandriva.com/security/advisories?name=MDVSA-2008:149
http://www.mandriva.com/security/advisories?name=MDVSA-2008:150
http://www.redhat.com/support/errata/RHSA-2008-0505.html
http://www.redhat.com/support/errata/RHSA-2008-0510.html
http://www.redhat.com/support/errata/RHSA-2008-0768.html
http://www.redhat.com/support/errata/RHSA-2009-1289.html
SuSE Security Announcement: SUSE-SR:2008:017 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html
http://www.ubuntu.com/usn/USN-671-1
BugTraq ID: 29106
http://www.securityfocus.com/bid/29106
BugTraq ID: 31681
http://www.securityfocus.com/bid/31681
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10133
http://secunia.com/advisories/36701
http://secunia.com/advisories/32769
http://secunia.com/advisories/36566
http://www.vupen.com/english/advisories/2008/1472/references
http://www.vupen.com/english/advisories/2008/2780
http://www.securitytracker.com/id?1019995
http://secunia.com/advisories/30134
http://secunia.com/advisories/31066
http://secunia.com/advisories/31226
http://secunia.com/advisories/31687
http://secunia.com/advisories/32222
XForce ISS Database: mysql-myisam-security-bypass(42267)
http://xforce.iss.net/xforce/xfdb/42267
Common Vulnerability Exposure (CVE) ID: CVE-2008-4098
http://www.openwall.com/lists/oss-security/2008/09/09/20
http://www.openwall.com/lists/oss-security/2008/09/16/3
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25
Debian Security Information: DSA-1662 (Google Search)
http://www.debian.org/security/2008/dsa-1662
http://www.mandriva.com/security/advisories?name=MDVSA-2009:094
http://www.redhat.com/support/errata/RHSA-2009-1067.html
SuSE Security Announcement: SUSE-SR:2008:025 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10591
http://secunia.com/advisories/32759
http://secunia.com/advisories/32578
XForce ISS Database: mysql-myisam-symlink-security-bypass(45649)
http://xforce.iss.net/xforce/xfdb/45649
CopyrightCopyright (c) 2010 E-Soft Inc. http://www.securityspace.com

This is only one of 40037 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.