Referenced CVEs:
CVE-2008-2079, CVE-2008-3963, CVE-2008-4097, CVE-2008-4098
Description:
===========================================================Ubuntu Security Notice USN-671-1 November 17, 2008mysql-dfsg-5.0 vulnerabilitiesCVE-2008-2079, CVE-2008-3963, CVE-2008-4097, CVE-2008-4098===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: mysql-server-5.0 5.0.22-0ubuntu6.06.11Ubuntu 7.10: mysql-server-5.0 5.0.45-1ubuntu3.4Ubuntu 8.04 LTS: mysql-server-5.0 5.0.51a-3ubuntu5.4In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:It was discovered that MySQL could be made to overwrite existing tablefiles in the data directory. An authenticated user could use theDATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilegechecks. This update alters table creation behaviour by disallowing theuse of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORYoptions. (CVE-2008-2079, CVE-2008-4097 and CVE-2008-4098)It was discovered that MySQL did not handle empty bit-string literalsproperly. An attacker could exploit this problem and cause the MySQLserver to crash, leading to a denial of service. (CVE-2008-3963)
More...
