Issued:

2007-02-19

Updated:

2007-02-19

RHSA-2007:0083 - Low: mysql security update

Synopsis

Low: mysql security update

Type/Severity

Security Advisory Low

Topic

Updated MySQL packages for the Red Hat Application Stack comprising the v1.1 release are now available.

This update also resolves some minor security issues rated as having low security impact by the Red Hat Security Response Team.

Description

Several minor security issues were found in MySQL:

MySQL allowed remote authenticated users to create or access a database when the database name differed only in case from a database for which they had permissions. (CVE-2006-4226)

MySQL evaluated arguments in the wrong security context which allowed remote authenticated users to gain privileges through a routine that had been made available using GRANT EXECUTE. (CVE-2006-4227)

MySQL allowed a local user to access a table through a previously created MERGE table, even after the user's privileges were revoked for the original table, which might violate intended security policy. (CVE-2006-4031)

MySQL allowed authenticated users to cause a denial of service (crash) via a NULL second argument to the str_to_date function. (CVE-2006-3081)

MySQL allowed local authenticated users to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903)

Users of MySQL should upgrade to these updated packages, which resolve these issues.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

Affected Products

Updated Packages

• mysql-5.0.30-1.el4s1.1.x86_64.rpm
• mysql-devel-5.0.30-1.el4s1.1.i386.rpm
• mysql-bench-5.0.30-1.el4s1.1.i386.rpm
• mysql-server-5.0.30-1.el4s1.1.x86_64.rpm
• mysql-test-5.0.30-1.el4s1.1.x86_64.rpm
• mysql-server-5.0.30-1.el4s1.1.i386.rpm
• mysql-devel-5.0.30-1.el4s1.1.x86_64.rpm
• mysql-5.0.30-1.el4s1.1.i386.rpm
• mysql-test-5.0.30-1.el4s1.1.i386.rpm
• mysql-bench-5.0.30-1.el4s1.1.x86_64.rpm

Fixes

• This content is not included.BZ - 228999

CVEs

• CVE-2006-4226
• CVE-2006-4227
• CVE-2006-4031
• CVE-2006-3081
• CVE-2006-0903

References

• http://www.redhat.com/security/updates/classification/#low

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.