USN-559-1: MySQL vulnerabilities Post: 302153203

Sponsored Content

Special Forums Cybersecurity Security Advisories (RSS) USN-559-1: MySQL vulnerabilities Post 302153203 by Linux Bot on Sunday 23rd of December 2007 11:52:05 PM

12-24-2007

Registered User

USN-559-1: MySQL vulnerabilities

Referenced CVEs:
CVE-2007-3781 CVE-2007-5925 CVE-2007-5969 CVE-2007-6304

Description:
===========================================================Ubuntu Security Notice USN-559-1 December 21, 2007mysql-dfsg-5.0 vulnerabilitiesCVE-2007-3781, CVE-2007-5925, CVE-2007-5969, CVE-2007-6304===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 6.10Ubuntu 7.04Ubuntu 7.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: mysql-server-5.0 5.0.22-0ubuntu6.06.6Ubuntu 6.10: mysql-server-5.0 5.0.24a-9ubuntu2.2Ubuntu 7.04: mysql-server-5.0 5.0.38-0ubuntu1.2Ubuntu 7.10: mysql-server-5.0 5.0.45-1ubuntu3.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Joe Gallo and Artem Russakovskii discovered that the InnoDBengine in MySQL did not properly perform input validation. Anauthenticated user could use a crafted CONTAINS statement tocause a denial of service. (CVE-2007-5925)It was discovered that under certain conditions MySQL could bemade to overwrite system table information. An authenticateduser could use a crafted RENAME statement to escalate privileges.(CVE-2007-5969)Philip Stoev discovered that the the federated engine of MySQLdid not properly handle responses with a small number of columns.An authenticated user could use a crafted response to a SHOWTABLE STATUS query and cause a denial of service. (CVE-2007-6304)It was discovered that MySQL did not properly enforce accesscontrols. An authenticated user could use a crafted CREATE TABLELIKE statement to escalate privileges. (CVE-2007-3781)

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

LEARN ABOUT DEBIAN

datefudge

DATEFUDGE(1)							      Debian							      DATEFUDGE(1)

NAME

       datefudge - pretend the system time is different

SYNOPSIS

       datefudge [-s|--static] at_date program [arguments ...]

DESCRIPTION

       datefudge  is  a  small	utility that pretends that the system time is different by pre-loading a small library which modifies the time(2),
       gettimeofday(2) and clock_gettime(2)  system calls.

OPTIONS

       --static, -s
	      set date as a `static' one. The above mentioned system calls will always return the date	passed	as  a  parameter  of  the  program
	      regardless of time passing. See EXAMPLES below.

       --help, -h
	      print short usage information and exit.

       --version, -v
	      print version information and exit.

EXAMPLES

   Basic example:
       $ datefudge "2007-04-01 10:23" date -R
       Sun, 01 Apr 2007 10:23:00 +0200

   Non-static vs. static example:
       $ datefudge "2007-04-01 10:23" sh -c "sleep 3; date -R"
       Sun, 01 Apr 2007 10:23:03 +0200
       $ datefudge --static "2007-04-01 10:23" sh -c "sleep 3; date -R"
       Sun, 01 Apr 2007 10:23:00 +0200

AUTHOR

       Written by Matthias Urlichs <smurf@noris.de>. Modified by Robert Luberda <robert@debian.org>.

BUGS

       There is no attempt to make this change undetectable by the program.  In particular, file modification times are not modified.

COPYRIGHT

       Copyright (C) 2003 by Matthias Urlichs.
       Copyright (C) 2008-2011 by Robert Luberda.

       There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	You may redistribute copies of datefudge under the
       terms of the GNU General Public License.
       For more information about these matters, see the file named COPYING.

SEE ALSO

       ld.so(1), time(2), gettimeofday(2), clock_gettime(2)

datefudge 1.17							  June 23th, 2011						      DATEFUDGE(1)