- Issued:
- 2007-09-10
- Updated:
- 2007-09-10
RHSA-2007:0894 - Important: mysql security update
Synopsis
Important: mysql security update
Type/Severity
Security Advisory Important
Topic
Updated MySQL packages for the Red Hat Application Stack comprising the v1.2 release fixed various security issues.
The security issues in this errata are rated as having important security impact by the Red Hat Security Response Team.
Description
On the 23rd August 2007, Red Hat Application Stack v1.2 was released. This release contained a new version of MySQL that corrected several security issues found in the MySQL packages of Red Hat Application Stack v1.1.
Users who have already updated to Red Hat Application Stack v1.2 will already have the new MySQL packages and are not affected by these issues.
A flaw was discovered in MySQL's authentication protocol. A remote unauthenticated attacker could send a specially crafted authentication request to the MySQL server causing it to crash. (CVE-2007-3780)
MySQL did not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement. A remote authenticated user could obtain sensitive information such as the table structure. (CVE-2007-3781)
A flaw was discovered in MySQL that allowed remote authenticated users to gain update privileges for a table in another database via a view that refers to the external table (CVE-2007-3782).
A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. A remote authenticated user could use this flaw to gain database privileges. (CVE-2007-2692)
MySQL did not require the DROP privilege for RENAME TABLE statements. A remote authenticated users could use this flaw to rename arbitrary tables. (CVE-2007-2691)
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Application Stack 1 | 1 | x86_64 |
| Red Hat Application Stack 1 | 1 | i386 |
Updated Packages
- mysql-test-5.0.44-1.el4s1.1.i386.rpm
- mysql-test-5.0.44-1.el4s1.1.x86_64.rpm
- mysql-libs-5.0.44-1.el4s1.1.x86_64.rpm
- mysql-5.0.44-1.el4s1.1.x86_64.rpm
- mysql-cluster-5.0.44-1.el4s1.1.x86_64.rpm
- mysql-devel-5.0.44-1.el4s1.1.x86_64.rpm
- mysql-server-5.0.44-1.el4s1.1.x86_64.rpm
- mysql-devel-5.0.44-1.el4s1.1.i386.rpm
- mysql-cluster-5.0.44-1.el4s1.1.i386.rpm
- mysql-bench-5.0.44-1.el4s1.1.i386.rpm
- mysql-bench-5.0.44-1.el4s1.1.x86_64.rpm
- mysql-5.0.44-1.el4s1.1.i386.rpm
- mysql-server-5.0.44-1.el4s1.1.i386.rpm
- mysql-libs-5.0.44-1.el4s1.1.i386.rpm
Fixes
- This content is not included.BZ - 241688
- This content is not included.BZ - 241689
- This content is not included.BZ - 248553
- This content is not included.BZ - 254108
CVEs
References
- This content is not included.This content is not included.https://rhn.redhat.com/errata/RHEA-2007-0842.html
- http://www.redhat.com/security/updates/classification/#important
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.