CINXE.COM

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head> <link rel="icon" href="/favicon.png"> <title>#375694 - SECURITY: date_format('%d%s', 1) crashs server - Debian Bug report logs</title> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="/css/bugs.css" type="text/css"> <link rel="canonical" href="<a href="bugreport.cgi?bug=375694">375694</a>"> <script type="text/javascript">  </script> </head> <body> <h1>Debian Bug report logs - <a href="mailto:375694@bugs.debian.org">#375694</a><br> SECURITY: date_format('%d%s', 1) crashs server</h1> <div class="versiongraph"><a href="version.cgi?collapse=1;info=1;found=mysql-server-4.1%2F4.1.11a-4sarge4;package=mysql-server-4.1;fixed=mysql-dfsg-4.1%2F4.1.11a-4sarge5;absolute=0"><img alt="version graph" src="version.cgi?collapse=1;found=mysql-server-4.1%2F4.1.11a-4sarge4;fixed=mysql-dfsg-4.1%2F4.1.11a-4sarge5;package=mysql-server-4.1;width=2;height=2;absolute=0"></a></div> <div class="pkginfo"> <p>Package: <a class="submitter" href="pkgreport.cgi?package=mysql-server-4.1">mysql-server-4.1</a>; Maintainer for <a href="pkgreport.cgi?package=mysql-server-4.1">mysql-server-4.1</a> is <a href="pkgreport.cgi?maint=">(unknown)</a>; </p> </div> <div class="buginfo"> <p>Reported by: <a href="pkgreport.cgi?submitter=jean-david%40kesako.ch">Maillefer Jean-David <jean-david@kesako.ch></a></p> <p>Date: Tue, 27 Jun 2006 16:33:12 UTC</p> <p>Severity: <em class="severity">grave</em></p> <p>Tags: confirmed, security, upstream</p> <p>Found in version mysql-server-4.1/4.1.11a-4sarge4</p> <p>Fixed in version mysql-dfsg-4.1/4.1.11a-4sarge5</p> <p><strong>Done:</strong> Christian Hammers <ch@debian.org></p> <p>Bug is archived. No further changes may be made.<p><p>Forwarded to <a href="http://bugs.mysql.com/?id=20729">http://bugs.mysql.com/?id=20729</a></p> </div> <p><input id="uselessmesages" type="checkbox"><label for="uselessmessages">Display info messages</label></p><div class="msgreceived"><p>View this report as an <a href="bugreport.cgi?bug=375694;mbox=yes">mbox folder</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;mboxstatus=yes">status mbox</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;mboxmaint=yes">maintainer mbox</a></p></div> <div class="infmessage"><hr><p> <a name="1"></a> <strong>Report forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=2">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=2">mbox</a>, <a href="#1">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="3"></a> <strong>Acknowledgement sent</strong> to <code>Maillefer Jean-David <jean-david@kesako.ch></code>:<br> New Bug report received and forwarded. Copy sent to <code>Christian Hammers <ch@debian.org></code>.<p> <P> Your message specified a Severity: in the pseudo-header, but the severity value maybe critical was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed. <P> <p> (<a href="bugreport.cgi?bug=375694;msg=4">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=4">mbox</a>, <a href="#3">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="5"></a><a name="msg5"></a><a href="#5">Message #5</a> received at submit@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=5">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=5">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C1151425811.11404.12.camel%40localhost%3E&body=On%20Tue%2C%2027%20Jun%202006%2018%3A30%3A11%20%2B0200%20Maillefer%20Jean-David%20%3Cjean-david%40kesako.ch%3E%20wrote%3A%0A%3E%20Package%3A%20mysql-server-4.1%0A%3E%20Version%3A%204.1.11a-4sarge4%0A%3E%20Severity%3A%20maybe%20critical%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20The%20bug%20can%20be%20reproduced%20by%20entering%20the%20following%20SQL%20code%3A%0A%3E%20%09select%20date_format%28%27%25Y-%25m-%25d%20%25H%3A%25i%3A%25s%27%2C%201151414896%29%3B%0A%3E%20%0A%3E%20It%27s%20not%20correct%20SQL%2C%20and%20I%20expect%20a%20syntax%20error%2C%20but%20it%20should%20not%0A%3E%20crash%20the%20server%21%0A%3E%20%0A%3E%20I%20think%20it%20can%20be%20simplified%20to%3A%0A%3E%20%09select%20date_format%28%27%25d%25s%27%2C%201%29%3B%20%20%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20I%20tried%20on%20different%20machines%3A%0A%3E%20Debian%20GNU%2FLinux%203.1%2C%20mysql-server-4.1%204.1.11a-4sarge4%0A%3E%20Linux%20skool%202.6.11%20%232%20SMP%20Thu%20May%2026%2020%3A53%3A11%20CEST%202005%20i686%20GNU%2FLinux%0A%3E%20Debian%20GNU%2FLinux%203.0%2C%20mysql-server-4.1%204.1.11a-4sarge4%0A%3E%20Linux%20KSKO04%202.4.23-xfs%20%231%20SMP%20Mi%20Dez%2010%2022%3A25%3A03%20CET%202003%20i686%0A%3E%20GNU%2FLinux%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20Sample%20Run%3A%0A%3E%20%0A%3E%20jdadmin%40skool%3A~%24%20mysql%20-u%20root%20-h%20192.168.1.104%0A%3E%20Welcome%20to%20the%20MySQL%20monitor.%20%20Commands%20end%20with%20%3B%20or%20%5Cg.%0A%3E%20Your%20MySQL%20connection%20id%20is%20219%20to%20server%20version%3A%0A%3E%204.1.11-Debian_4sarge2-log%0A%3E%20%0A%3E%20Type%20%27help%3B%27%20or%20%27%5Ch%27%20for%20help.%20Type%20%27%5Cc%27%20to%20clear%20the%20buffer.%0A%3E%20%0A%3E%20mysql%3E%20select%20date_format%28%27%25Y-%25m-%25d%20%25H%3A%25i%3A%25s%27%2C%201151414896%29%3B%0A%3E%20ERROR%202013%20%28HY000%29%3A%20Lost%20connection%20to%20MySQL%20server%20during%20query%0A%3E%20mysql%3E%20select%20date_format%28%27%25Y-%25m-%25d%20%25H%3A%25i%3A%25s%27%2C%201151414896%29%3B%0A%3E%20ERROR%202006%20%28HY000%29%3A%20MySQL%20server%20has%20gone%20away%0A%3E%20No%20connection.%20Trying%20to%20reconnect...%0A%3E%20Connection%20id%3A%20%20%20%201%0A%3E%20Current%20database%3A%20%2A%2A%2A%20NONE%20%2A%2A%2A%0A%3E%20%0A%3E%20ERROR%202013%20%28HY000%29%3A%20Lost%20connection%20to%20MySQL%20server%20during%20query%0A%3E%20mysql%3E%0A%3E%20mysql%3E%20select%3B%0A%3E%20ERROR%202006%20%28HY000%29%3A%20MySQL%20server%20has%20gone%20away%0A%3E%20....%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20logs%20from%20syslog%3A%0A%3E%20%0A%3E%20Jun%2027%2017%3A19%3A25%20skool%20mysqld%5B28116%5D%3A%20mysqld%20got%20signal%2011%3B%0A%3E%20Jun%2027%2017%3A19%3A25%20skool%20mysqld%5B28116%5D%3A%20This%20could%20be%20because%20you%20hit%20a%0A%3E%20bug.%20It%20is%20also%20possible%20that%20this%20binary%0A%3E%20Jun%2027%2017%3A19%3A25%20skool%20mysqld%5B28116%5D%3A%20or%20one%20of%20the%20libraries%20it%20was%0A&subject=Re%3A%20Bad%20date_format%28%29%20call%20makes%20mysql%20server%20crash&In-Reply-To=%3C1151425811.11404.12.camel%40localhost%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=jean-david%40kesako.ch" alt=""> <div class="header"><span class="headerfield">From:</span> Maillefer Jean-David <jean-david@kesako.ch></div> <div class="header"><span class="headerfield">To:</span> submit@bugs.debian.org, ch@debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Bad date_format() call makes mysql server crash</div> <div class="header"><span class="headerfield">Date:</span> Tue, 27 Jun 2006 18:30:11 +0200</div> </div> <pre class="mime">[<a href="bugreport.cgi?att=0;bug=375694;msg=5">Message part 1</a> (text/plain, inline)]</pre> <pre class="message">Package: mysql-server-4.1 Version: 4.1.11a-4sarge4 Severity: maybe critical The bug can be reproduced by entering the following SQL code: select date_format('%Y-%m-%d %H:%i:%s', 1151414896); It's not correct SQL, and I expect a syntax error, but it should not crash the server! I think it can be simplified to: select date_format('%d%s', 1); I tried on different machines: Debian GNU/Linux 3.1, mysql-server-4.1 4.1.11a-4sarge4 Linux skool 2.6.11 #2 SMP Thu May 26 20:53:11 CEST 2005 i686 GNU/Linux Debian GNU/Linux 3.0, mysql-server-4.1 4.1.11a-4sarge4 Linux KSKO04 2.4.23-xfs #1 SMP Mi Dez 10 22:25:03 CET 2003 i686 GNU/Linux Sample Run: jdadmin@skool:~$ mysql -u root -h 192.168.1.104 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 219 to server version: 4.1.11-Debian_4sarge2-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select date_format('%Y-%m-%d %H:%i:%s', 1151414896); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql> select date_format('%Y-%m-%d %H:%i:%s', 1151414896); ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... Connection id: 1 Current database: *** NONE *** ERROR 2013 (HY000): Lost connection to MySQL server during query mysql> mysql> select; ERROR 2006 (HY000): MySQL server has gone away .... logs from syslog: Jun 27 17:19:25 skool mysqld[28116]: mysqld got signal 11; Jun 27 17:19:25 skool mysqld[28116]: This could be because you hit a bug. It is also possible that this binary Jun 27 17:19:25 skool mysqld[28116]: or one of the libraries it was linked against is corrupt, improperly built, Jun 27 17:19:25 skool mysqld[28116]: or misconfigured. This error can also be caused by malfunctioning hardware. Jun 27 17:19:25 skool mysqld[28116]: We will try our best to scrape up some info that will hopefully help diagnose Jun 27 17:19:25 skool mysqld[28116]: the problem, but since we have already crashed, something is definitely wrong Jun 27 17:19:25 skool mysqld[28116]: and this may fail. Jun 27 17:19:25 skool mysqld[28116]: Jun 27 17:19:25 skool mysqld[28116]: key_buffer_size=16777216 Jun 27 17:19:25 skool mysqld[28116]: read_buffer_size=131072 Jun 27 17:19:25 skool mysqld[28116]: max_used_connections=11 Jun 27 17:19:25 skool mysqld[28116]: max_connections=100 Jun 27 17:19:25 skool mysqld[28116]: threads_connected=2 Jun 27 17:19:25 skool mysqld[28116]: It is possible that mysqld could use up to Jun 27 17:19:25 skool mysqld[28116]: key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 233983 K Jun 27 17:19:25 skool mysqld[28116]: bytes of memory Jun 27 17:19:25 skool mysqld[28116]: Hope that's ok; if not, decrease some variables in the equation. Jun 27 17:19:25 skool mysqld[28116]: Jun 27 17:19:25 skool mysqld[28116]: thd=0x8bd1158 Jun 27 17:19:25 skool mysqld[28116]: Attempting backtrace. You can use the following information to find out Jun 27 17:19:25 skool mysqld[28116]: where mysqld died. If you see no messages after this, something went Jun 27 17:19:25 skool mysqld[28116]: terribly wrong... Jun 27 17:19:25 skool mysqld[28116]: Cannot determine thread, fp=0xb147fc7c, backtrace may not be correct. Jun 27 17:19:25 skool mysqld[28116]: Stack range sanity check OK, backtrace follows: Jun 27 17:19:25 skool mysqld[28116]: 0x818935f Jun 27 17:19:25 skool mysqld[28116]: 0xffffe420 Jun 27 17:19:25 skool mysqld[28116]: 0x38363032 Jun 27 17:19:25 skool mysqld[28116]: Stack trace seems successful - bottom reached Jun 27 17:19:25 skool mysqld[28116]: Please read <a href="http://dev.mysql.com/doc/mysql/en/Using_stack_trace.html">http://dev.mysql.com/doc/mysql/en/Using_stack_trace.html</a> and follow instruc tions on how to resolve the stack trace. Resolved Jun 27 17:19:25 skool mysqld[28116]: stack trace is much more helpful in diagnosing the problem, so please do Jun 27 17:19:25 skool mysqld[28116]: resolve it Jun 27 17:19:25 skool mysqld[28116]: Trying to get some variables. Jun 27 17:19:25 skool mysqld[28116]: Some pointers may be invalid and cause the dump to abort... Jun 27 17:19:25 skool mysqld[28116]: thd->query at 0x8bd45f0 = select date_format('%Y-%m-%d %H:%i:%s', 1151414896) Jun 27 17:19:25 skool mysqld[28116]: thd->thread_id=19 Jun 27 17:19:25 skool mysqld[28116]: The manual page at <a href="http://www.mysql.com/doc/en/Crashing.html">http://www.mysql.com/doc/en/Crashing.html</a> contains Jun 27 17:19:25 skool mysqld[28116]: information that should help you find out what is causing the crash. Jun 27 17:19:25 skool mysqld_safe[1653]: Number of processes running now: 0 Jun 27 17:19:25 skool mysqld_safe[1655]: restarted Jun 27 17:19:25 skool mysqld[1658]: 060627 17:19:25 InnoDB: Database was not shut down normally! Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Starting crash recovery. Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Reading tablespace information from the .ibd files... Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Restoring possible half-written data pages from the doublewrite Jun 27 17:19:25 skool mysqld[1658]: InnoDB: buffer... Jun 27 17:19:25 skool mysqld[1658]: 060627 17:19:25 InnoDB: Starting log scan based on checkpoint at Jun 27 17:19:25 skool mysqld[1658]: InnoDB: log sequence number 0 5847414. Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Doing recovery: scanned up to log sequence number 0 5847414 Jun 27 17:19:25 skool mysqld[1658]: InnoDB: Last MySQL binlog file position 0 79, file name /var/log/mysql/mysql-bin.000204 Jun 27 17:19:25 skool mysqld[1658]: 060627 17:19:25 InnoDB: Flushing modified pages from the buffer pool... Jun 27 17:19:26 skool mysqld[1658]: 060627 17:19:26 InnoDB: Started; log sequence number 0 5847414 Jun 27 17:19:26 skool mysqld[1658]: /usr/sbin/mysqld: ready for connections. Jun 27 17:19:26 skool mysqld[1658]: Version: '4.1.11-Debian_4sarge4-log' socket: '/var/run/mysqld/mysqld.sock' port: 3306 Source distribution jean-david maillefer - developer/network manager <a href="http://www.kesako.ch">http://www.kesako.ch</a> _________________ [kesako] - IT & internet solutions 18, rue des terreaux case postale 967 CH-1001 lausanne T: +41-21 3517700 F: +41-21 3517701 plan a meeting <a href="http://agenda.kesako.ch/meet/jean-david">http://agenda.kesako.ch/meet/jean-david</a> Ce message et les documents qui y sont attach茅s sont confidentiels et couverts par le secret professionnel. Ils ne sont destin茅s qu'aux seules personnes d茅sign茅es ci-dessus. Ils ne doivent pas 锚tre diffus茅s ni leur contenu utilis茅 ou divulgu茅. Dans le cas o霉 ce message et les documents attach茅s vous seraient parvenus par erreur, nous vous remercions de les d茅truire aussit么t et de nous informer de l'erreur commise. This message and the attached documents are confidential and covered by professional secrecy. They are intended to their adresses only. They should not be used for any purpose and their content should not be disclosed to anyone. In case you have received this message and the attached documents by mistake, please advise us and delete them immediately. </pre> <pre class="mime">[<a href="bugreport.cgi?att=1;bug=375694;msg=5">Message part 2</a> (text/html, inline)]</pre> <div class="infmessage"><hr><p> <a name="6"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=7">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=7">mbox</a>, <a href="#6">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="8"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=9">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=9">mbox</a>, <a href="#8">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="10"></a><a name="msg10"></a><a href="#10">Message #10</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=10">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=10">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C1151425811.11404.12.camel%40localhost%3E%0A%20%3C20060627205841.2afe0eec%40app109.intern%3E&subject=Re%3A%20Bug%23375694%3A%20Bad%20date_format%28%29%20call%20makes%20mysql%20server%20crash&In-Reply-To=%3C20060627205841.2afe0eec%40app109.intern%3E&body=On%20Tue%2C%2027%20Jun%202006%2020%3A58%3A41%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20tags%20375694%20%2B%20confirmed%20upstream%20security%0A%3E%20forwarded%20375694%20http%3A%2F%2Fbugs.mysql.com%2F%3Fid%3D20729%0A%3E%20severity%20375694%20grave%0A%3E%20stop%0A%3E%20%0A%3E%20Hello%20Jean-David%0A%3E%20%0A%3E%20On%202006-06-27%20Maillefer%20Jean-David%20wrote%3A%0A%3E%20%3E%20The%20bug%20can%20be%20reproduced%20by%20entering%20the%20following%20SQL%20code%3A%0A%3E%20%3E%20%09select%20date_format%28%27%25Y-%25m-%25d%20%25H%3A%25i%3A%25s%27%2C%201151414896%29%3B%0A%3E%20%3E%20%0A%3E%20%3E%20It%27s%20not%20correct%20SQL%2C%20and%20I%20expect%20a%20syntax%20error%2C%20but%20it%20should%20not%0A%3E%20%3E%20crash%20the%20server%21%0A%3E%20%3E%20%0A%3E%20%3E%20I%20think%20it%20can%20be%20simplified%20to%3A%0A%3E%20%3E%20%09select%20date_format%28%27%25d%25s%27%2C%201%29%3B%20%20%0A%3E%20%0A%3E%20It%27s%20indeed%20a%20DoS.%20As%20far%20as%20I%20tried%203.23%20%28woody%29%2C%204.0%20%28sarge%29%20and%205.0%20%28sid%29%0A%3E%20are%20not%20vulnerable%2C%20only%204.1%20%28sarge%29.%20I%20will%20try%20the%20latest%204.1%20version%0A%3E%20tomorrow%2C%20if%20it%20is%20ok%2C%20then%20we%20might%20find%20a%20corresponding%20patch.%0A%3E%20%0A%3E%20Did%20you%20find%20this%20bug%20yourself%20and%20did%20you%20already%20report%20it%20to%20MySQL%3F%0A%3E%20I%27ve%20just%20opened%20MySQL%20Bug%20%2320729%20for%20this.%20But%20we%20need%20to%20know%20if%20somebody%0A%3E%20else%20has%20asked%20for%20a%20CVE%20security%20bug%20id%20already.%0A%3E%20%0A%3E%20Security%20Team%3A%20As%20you%20did%20not%20yet%20release%0A%3E%20%20%20%23373913%3A%20SECURITY%3A%20CAN-2006-3081%3A%20str_to_date%281%2CNULL%29%20crashs%20the%20server%0A%3E%20%28btw%2C%20why%3F%20what%20stalls%20it%3F%29%20we%20could%20merge%20those%20two%20date%20bugs%2C%20or%3F%0A%3E%20%0A%3E%20Oh%2C%20of%20course%20I%20tested%20the%20new%20bug%20with%20the%20not%20yet%20released%20and%20patched%0A%3E%20version%20of%20mysql%204.1%20%3A%29%20Sadly%20the%20patch%20does%20not%20fix%20both%20problems.%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A%3E%20%0A%3E%20%0A">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> Maillefer Jean-David <jean-david@kesako.ch>, team@security.debian.org</div> <div class="header"><span class="headerfield">Cc:</span> 375694@bugs.debian.org, dc <control@bugs.debian.org></div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#375694: Bad date_format() call makes mysql server crash</div> <div class="header"><span class="headerfield">Date:</span> Tue, 27 Jun 2006 20:58:41 +0200</div> </div> <pre class="message">tags 375694 + confirmed upstream security forwarded 375694 <a href="http://bugs.mysql.com/?id=20729">http://bugs.mysql.com/?id=20729</a> severity 375694 grave stop Hello Jean-David On 2006-06-27 Maillefer Jean-David wrote: > The bug can be reproduced by entering the following SQL code: > select date_format('%Y-%m-%d %H:%i:%s', 1151414896); > > It's not correct SQL, and I expect a syntax error, but it should not > crash the server! > > I think it can be simplified to: > select date_format('%d%s', 1); It's indeed a DoS. As far as I tried 3.23 (woody), 4.0 (sarge) and 5.0 (sid) are not vulnerable, only 4.1 (sarge). I will try the latest 4.1 version tomorrow, if it is ok, then we might find a corresponding patch. Did you find this bug yourself and did you already report it to MySQL? I've just opened MySQL Bug #20729 for this. But we need to know if somebody else has asked for a CVE security bug id already. Security Team: As you did not yet release #373913: SECURITY: CAN-2006-3081: str_to_date(1,NULL) crashs the server (btw, why? what stalls it?) we could merge those two date bugs, or? Oh, of course I tested the new bug with the not yet released and patched version of mysql 4.1 :) Sadly the patch does not fix both problems. bye, -christian- </pre> <div class="msgreceived"><hr><p> <a name="11"></a> <strong>Tags added: confirmed, upstream, security</strong> Request was from <code>Christian Hammers <ch@debian.org></code> to <code>control@bugs.debian.org</code>. (<a href="bugreport.cgi?bug=375694;msg=12">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=12">mbox</a>, <a href="#11">link</a>).</p></p></div> <div class="msgreceived"><hr><p> <a name="13"></a> <strong>Noted your statement that Bug has been forwarded to <a href="http://bugs.mysql.com/?id=20729">http://bugs.mysql.com/?id=20729</a>.</strong> Request was from <code>Christian Hammers <ch@debian.org></code> to <code>control@bugs.debian.org</code>. (<a href="bugreport.cgi?bug=375694;msg=14">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=14">mbox</a>, <a href="#13">link</a>).</p></p></div> <div class="msgreceived"><hr><p> <a name="15"></a> <strong>Severity set to `grave' from `normal'</strong> Request was from <code>Christian Hammers <ch@debian.org></code> to <code>control@bugs.debian.org</code>. (<a href="bugreport.cgi?bug=375694;msg=16">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=16">mbox</a>, <a href="#15">link</a>).</p></p></div> <div class="msgreceived"><hr><p> <a name="17"></a> <strong>Changed Bug title.</strong> Request was from <code>Christian Hammers <ch@debian.org></code> to <code>control@bugs.debian.org</code>. (<a href="bugreport.cgi?bug=375694;msg=18">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=18">mbox</a>, <a href="#17">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="19"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=20">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=20">mbox</a>, <a href="#19">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="21"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=22">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=22">mbox</a>, <a href="#21">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="23"></a><a name="msg23"></a><a href="#23">Message #23</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=23">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=23">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060705092622.78579a0a%40xeniac.intern%3E&subject=Re%3A%20Bug%20%2320729%20security%20relevant%3F&In-Reply-To=%3C20060705092622.78579a0a%40xeniac.intern%3E&body=On%20Wed%2C%205%20Jul%202006%2009%3A26%3A22%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20Hello%20MySQL%20Security-Team%0A%3E%20%0A%3E%20Bug%20%2320729%20seems%20to%20be%20security%20relevant%20as%20it%20allowes%20crashing%20the%0A%3E%20complete%20server%20by%20any%20unprivileged%20user%20by%20issuing%20a%20simple%20query.%0A%3E%20%0A%3E%20Whether%20it%20crashes%20or%20just%20prints%20garbage%20sprintf%28%29%20output%20probably%0A%3E%20depends%20on%20the%20libc%20version%20or%20the%20compiled%20architecture%20but%20the%20bug%0A%3E%20is%20clearly%20in%20the%20mysql%20code.%0A%3E%20%0A%3E%20As%20it%20does%20crash%20on%20Debian%20we%20will%20issue%20a%20security%20advisory%20for%20it%0A%3E%20%28and%20I%20would%20be%20happy%20if%20someone%20could%20confirm%20that%20my%20self%20written%0A%3E%20patch%20does%20no%20more%20harm%20than%20cure%20%3A%29%29%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A%3E%20%0A%3E%20%0A">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> security@mysql.com</div> <div class="header"><span class="headerfield">Cc:</span> 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Bug #20729 security relevant?</div> <div class="header"><span class="headerfield">Date:</span> Wed, 5 Jul 2006 09:26:22 +0200</div> </div> <pre class="message">Hello MySQL Security-Team Bug #20729 seems to be security relevant as it allowes crashing the complete server by any unprivileged user by issuing a simple query. Whether it crashes or just prints garbage sprintf() output probably depends on the libc version or the compiled architecture but the bug is clearly in the mysql code. As it does crash on Debian we will issue a security advisory for it (and I would be happy if someone could confirm that my self written patch does no more harm than cure :)) bye, -christian- </pre> <div class="infmessage"><hr><p> <a name="24"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=25">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=25">mbox</a>, <a href="#24">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="26"></a> <strong>Acknowledgement sent</strong> to <code>Sergei Golubchik <serg@mysql.com></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Christian Hammers <ch@debian.org></code>. (<a href="bugreport.cgi?bug=375694;msg=27">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=27">mbox</a>, <a href="#26">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="28"></a><a name="msg28"></a><a href="#28">Message #28</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=28">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=28">mbox</a>, <a href="mailto:375694@bugs.debian.org?body=On%20Wed%2C%205%20Jul%202006%2011%3A48%3A38%20%2B0200%20Sergei%20Golubchik%20%3Cserg%40mysql.com%3E%20wrote%3A%0A%3E%20Hi%21%0A%3E%20%0A%3E%20On%20Jul%2005%2C%20Christian%20Hammers%20wrote%3A%0A%3E%20%3E%20Hello%20MySQL%20Security-Team%0A%3E%20%3E%20%0A%3E%20%3E%20Bug%20%2320729%20seems%20to%20be%20security%20relevant%20as%20it%20allowes%20crashing%20the%0A%3E%20%3E%20complete%20server%20by%20any%20unprivileged%20user%20by%20issuing%20a%20simple%20query.%0A%3E%20%0A%3E%20Agree.%0A%3E%20%20%0A%3E%20%3E%20Whether%20it%20crashes%20or%20just%20prints%20garbage%20sprintf%28%29%20output%20probably%0A%3E%20%3E%20depends%20on%20the%20libc%20version%20or%20the%20compiled%20architecture%20but%20the%20bug%0A%3E%20%3E%20is%20clearly%20in%20the%20mysql%20code.%0A%3E%20%3E%20%0A%3E%20%3E%20As%20it%20does%20crash%20on%20Debian%20we%20will%20issue%20a%20security%20advisory%20for%20it%0A%3E%20%0A%3E%20Ok%2C%20please%20tell%20us%20CVE%20number%20when%20you%27ll%20know%20it.%0A%3E%20%28as%20usual%20%3A%29%0A%3E%20%0A%3E%20%3E%20%28and%20I%20would%20be%20happy%20if%20someone%20could%20confirm%20that%20my%20self%20written%0A%3E%20%3E%20patch%20does%20no%20more%20harm%20than%20cure%20%3A%29%29%0A%3E%20%0A%3E%20Done.%0A%3E%20%0A%3E%20Regards%2C%0A%3E%20Sergei%0A%3E%20%0A%3E%20--%20%0A%3E%20%20%20%20__%20%20___%20%20%20%20%20___%20____%20%20__%0A%3E%20%20%20%2F%20%20%7C%2F%20%20%2F_%20__%2F%20__%2F%20__%20%5C%2F%20%2F%20%20%20Sergei%20Golubchik%20%3Cserg%40mysql.com%3E%0A%3E%20%20%2F%20%2F%7C_%2F%20%2F%20%2F%2F%20%2F%5C%20%5C%2F%20%2F_%2F%20%2F%20%2F__%20%20MySQL%20AB%2C%20Senior%20Software%20Developer%0A%3E%20%2F_%2F%20%20%2F_%2F%5C_%2C%20%2F___%2F%5C___%5C_%5C___%2F%20%20Kerpen%2C%20Germany%0A%3E%20%20%20%20%20%20%20%20%3C___%2F%20%20www.mysql.com%0A%3E%20%0A%3E%20%0A&subject=Re%3A%20Bug%20%2320729%20security%20relevant%3F&In-Reply-To=%3C20060705094838.GA17023%40serg.mylan%3E&References=%3C20060705092622.78579a0a%40xeniac.intern%3E%0A%20%3C20060705094838.GA17023%40serg.mylan%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=serg%40mysql.com" alt=""> <div class="header"><span class="headerfield">From:</span> Sergei Golubchik <serg@mysql.com></div> <div class="header"><span class="headerfield">To:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">Cc:</span> security@mysql.com, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug #20729 security relevant?</div> <div class="header"><span class="headerfield">Date:</span> Wed, 5 Jul 2006 11:48:38 +0200</div> </div> <pre class="message">Hi! On Jul 05, Christian Hammers wrote: > Hello MySQL Security-Team > > Bug #20729 seems to be security relevant as it allowes crashing the > complete server by any unprivileged user by issuing a simple query. Agree. > Whether it crashes or just prints garbage sprintf() output probably > depends on the libc version or the compiled architecture but the bug > is clearly in the mysql code. > > As it does crash on Debian we will issue a security advisory for it Ok, please tell us CVE number when you'll know it. (as usual :) > (and I would be happy if someone could confirm that my self written > patch does no more harm than cure :)) Done. Regards, Sergei -- __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg@mysql.com> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Senior Software Developer /_/ /_/\_, /___/\___\_\___/ Kerpen, Germany <___/ www.mysql.com </pre> <div class="infmessage"><hr><p> <a name="29"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=30">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=30">mbox</a>, <a href="#29">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="31"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=32">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=32">mbox</a>, <a href="#31">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="33"></a><a name="msg33"></a><a href="#33">Message #33</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=33">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=33">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060704230543.6c258cdb%40app109.intern%3E%0A%20%3C20060709193429.3caf8f2a%40app109.intern%3E&body=On%20Sun%2C%209%20Jul%202006%2019%3A34%3A29%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20Hello%0A%3E%20%0A%3E%20On%202006-07-04%20Christian%20Hammers%20wrote%3A%0A%3E%20%3E%20It%27s%20time%20for%20a%20new%20MySQL%20DSA%20%3A%29%20On%0A%3E%20%3E%20%20%20http%3A%2F%2Fwww.lathspell.de%2Flinux%2Fdebian%2Fmysql%2Fsarge-4.1%20%0A%3E%20%3E%20you%20find%20%2Asarge5.deb%20pacakges%20that%20fix%20the%20following%20two%20vulnerabilities%3A%0A%3E%20%3E%20%0A%3E%20%3E%20%20%20%20%2A%20Fixed%20DoS%20bug%20where%20any%20user%20could%20crash%20the%20server%20with%0A%3E%20%3E%20%20%20%20%20%20%22SELECT%20str_to_date%281%2C%20NULL%29%3B%22%20%28CVE-2006-3081%29.%0A%3E%20%3E%20%20%20%20%20%20The%20vulnerability%20was%20discovered%20by%20Kanatoko%20%3Canvil%40jumperz.net%3E.%0A%3E%20%3E%20%20%20%20%20%20Closes%3A%20%23373913%0A%3E%20%3E%20%20%20%20%2A%20Fixed%20DoS%20bug%20where%20any%20user%20could%20crash%20the%20server%20with%0A%3E%20%3E%20%20%20%20%20%20%22SELECT%20date_format%28%27%25d%25s%27%2C%201%29%3B%20%28CVE-2006-XXXX%29.%0A%3E%20%3E%20%20%20%20%20%20The%20vulnerability%20was%20discovered%20by%20Maillefer%20Jean-David%0A%3E%20%3E%20%20%20%20%20%20%3Cjean-david%40kesako.ch%3E%20and%20filed%20as%20MySQL%20bug%20%2320729.%0A%3E%20%3E%20%20%20%20%20%20Closes%3A%20%23375694%0A%3E%20%0A%3E%20What%27s%20the%20current%20status%20of%20this%20prepared%20security%20update%3F%20%28Moritz%3F%29%0A%3E%20The%20current%20packages%20on%20lathepell.de%20contain%20now%20the%20official%20MySQL%0A%3E%20patch%20f%C3%BCr%20the%20second%20bug%20so%20there%27s%20not%20much%20work%20needed%20anymore.%0A%3E%20We%20just%20need%20a%20CVE%20id%20for%20it.%0A%3E%20%0A%3E%20Both%20bugs%20only%20affects%20Sarge%204.1%2C%20not%20Woody%203.23.%20Sarge%204.0%20or%20Sid%205.0.%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%20%0A%3E%20%20-christian-%0A%3E%20%0A%3E%20%0A&subject=Re%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%20bugs&In-Reply-To=%3C20060709193429.3caf8f2a%40app109.intern%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> team@security.debian.org</div> <div class="header"><span class="headerfield">Cc:</span> Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Sun, 9 Jul 2006 19:34:29 +0200</div> </div> <pre class="message">Hello On 2006-07-04 Christian Hammers wrote: > It's time for a new MySQL DSA :) On > <a href="http://www.lathspell.de/linux/debian/mysql/sarge-4.1">http://www.lathspell.de/linux/debian/mysql/sarge-4.1</a> > you find *sarge5.deb pacakges that fix the following two vulnerabilities: > > * Fixed DoS bug where any user could crash the server with > "SELECT str_to_date(1, NULL);" (<a href="https://security-tracker.debian.org/tracker/CVE-2006-3081">CVE-2006-3081</a>). > The vulnerability was discovered by Kanatoko <anvil@jumperz.net>. > Closes: #<a href="bugreport.cgi?bug=373913">373913</a> > * Fixed DoS bug where any user could crash the server with > "SELECT date_format('%d%s', 1); (CVE-2006-XXXX). > The vulnerability was discovered by Maillefer Jean-David > <jean-david@kesako.ch> and filed as MySQL bug #20729. > Closes: #<a href="bugreport.cgi?bug=375694">375694</a> What's the current status of this prepared security update? (Moritz?) The current packages on lathepell.de contain now the official MySQL patch f眉r the second bug so there's not much work needed anymore. We just need a CVE id for it. Both bugs only affects Sarge 4.1, not Woody 3.23. Sarge 4.0 or Sid 5.0. bye, -christian- </pre> <div class="infmessage"><hr><p> <a name="34"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=35">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=35">mbox</a>, <a href="#34">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="36"></a> <strong>Acknowledgement sent</strong> to <code>Moritz Muehlenhoff <jmm@inutil.org></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Christian Hammers <ch@debian.org></code>. (<a href="bugreport.cgi?bug=375694;msg=37">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=37">mbox</a>, <a href="#36">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="38"></a><a name="msg38"></a><a href="#38">Message #38</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=38">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=38">mbox</a>, <a href="mailto:375694@bugs.debian.org?In-Reply-To=%3C20060709212215.GA5259%40galadriel.inutil.org%3E&subject=Re%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%20bugs&body=On%20Sun%2C%209%20Jul%202006%2023%3A22%3A15%20%2B0200%20Moritz%20Muehlenhoff%20%3Cjmm%40inutil.org%3E%20wrote%3A%0A%3E%20Christian%20Hammers%20wrote%3A%0A%3E%20%0A%3E%20Steven%2C%20can%20you%20please%20assign%20a%20CVE%20for%20the%20second%20DoS%20issue%3F%0A%3E%20%0A%3E%20%3E%20On%202006-07-04%20Christian%20Hammers%20wrote%3A%0A%3E%20%3E%20%3E%20It%27s%20time%20for%20a%20new%20MySQL%20DSA%20%3A%29%20On%0A%3E%20%3E%20%3E%20%20%20http%3A%2F%2Fwww.lathspell.de%2Flinux%2Fdebian%2Fmysql%2Fsarge-4.1%20%0A%3E%20%3E%20%3E%20you%20find%20%2Asarge5.deb%20pacakges%20that%20fix%20the%20following%20two%20vulnerabilities%3A%0A%3E%20%3E%20%3E%20%0A%3E%20%3E%20%3E%20%20%20%20%2A%20Fixed%20DoS%20bug%20where%20any%20user%20could%20crash%20the%20server%20with%0A%3E%20%3E%20%3E%20%20%20%20%20%20%22SELECT%20str_to_date%281%2C%20NULL%29%3B%22%20%28CVE-2006-3081%29.%0A%3E%20%3E%20%3E%20%20%20%20%20%20The%20vulnerability%20was%20discovered%20by%20Kanatoko%20%3Canvil%40jumperz.net%3E.%0A%3E%20%3E%20%3E%20%20%20%20%20%20Closes%3A%20%23373913%0A%3E%20%3E%20%3E%20%20%20%20%2A%20Fixed%20DoS%20bug%20where%20any%20user%20could%20crash%20the%20server%20with%0A%3E%20%3E%20%3E%20%20%20%20%20%20%22SELECT%20date_format%28%27%25d%25s%27%2C%201%29%3B%20%28CVE-2006-XXXX%29.%0A%3E%20%3E%20%3E%20%20%20%20%20%20The%20vulnerability%20was%20discovered%20by%20Maillefer%20Jean-David%0A%3E%20%3E%20%3E%20%20%20%20%20%20%3Cjean-david%40kesako.ch%3E%20and%20filed%20as%20MySQL%20bug%20%2320729.%0A%3E%20%3E%20%3E%20%20%20%20%20%20Closes%3A%20%23375694%0A%3E%20%3E%20%0A%3E%20%3E%20What%27s%20the%20current%20status%20of%20this%20prepared%20security%20update%3F%20%28Moritz%3F%29%0A%3E%20%0A%3E%20It%27s%20currently%20building.%0A%3E%20%0A%3E%20%3E%20The%20current%20packages%20on%20lathepell.de%20contain%20now%20the%20official%20MySQL%0A%3E%20%3E%20patch%20f%C3%BCr%20the%20second%20bug%20so%20there%27s%20not%20much%20work%20needed%20anymore.%0A%3E%20%3E%20We%20just%20need%20a%20CVE%20id%20for%20it.%0A%3E%20%0A%3E%20I%27m%20CCing%20Steven%20for%20this%20one.%20As%20it%27s%20now%20kind%20of%20public%20in%20the%20MySQL%0A%3E%20database%2C%20assigning%20an%20ID%20from%20the%20Debian%20CNA%20pool%20might%20lead%20to%20clashes.%0A%3E%20%0A%3E%20Cheers%2C%0A%3E%20%20%20%20%20%20%20%20%20Moritz%0A%3E%20%0A%3E%20%0A&References=%3C20060709193429.3caf8f2a%40app109.intern%3E%0A%20%3C20060709212215.GA5259%40galadriel.inutil.org%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=jmm%40inutil.org" alt=""> <div class="header"><span class="headerfield">From:</span> Moritz Muehlenhoff <jmm@inutil.org></div> <div class="header"><span class="headerfield">To:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">Cc:</span> team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Sun, 9 Jul 2006 23:22:15 +0200</div> </div> <pre class="message">Christian Hammers wrote: Steven, can you please assign a CVE for the second DoS issue? > On 2006-07-04 Christian Hammers wrote: > > It's time for a new MySQL DSA :) On > > <a href="http://www.lathspell.de/linux/debian/mysql/sarge-4.1">http://www.lathspell.de/linux/debian/mysql/sarge-4.1</a> > > you find *sarge5.deb pacakges that fix the following two vulnerabilities: > > > > * Fixed DoS bug where any user could crash the server with > > "SELECT str_to_date(1, NULL);" (<a href="https://security-tracker.debian.org/tracker/CVE-2006-3081">CVE-2006-3081</a>). > > The vulnerability was discovered by Kanatoko <anvil@jumperz.net>. > > Closes: #<a href="bugreport.cgi?bug=373913">373913</a> > > * Fixed DoS bug where any user could crash the server with > > "SELECT date_format('%d%s', 1); (CVE-2006-XXXX). > > The vulnerability was discovered by Maillefer Jean-David > > <jean-david@kesako.ch> and filed as MySQL bug #20729. > > Closes: #<a href="bugreport.cgi?bug=375694">375694</a> > > What's the current status of this prepared security update? (Moritz?) It's currently building. > The current packages on lathepell.de contain now the official MySQL > patch f眉r the second bug so there's not much work needed anymore. > We just need a CVE id for it. I'm CCing Steven for this one. As it's now kind of public in the MySQL database, assigning an ID from the Debian CNA pool might lead to clashes. Cheers, Moritz </pre> <div class="infmessage"><hr><p> <a name="39"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=40">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=40">mbox</a>, <a href="#39">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="41"></a> <strong>Acknowledgement sent</strong> to <code>"Steven M. Christey" <coley@linus.mitre.org></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Christian Hammers <ch@debian.org></code>. (<a href="bugreport.cgi?bug=375694;msg=42">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=42">mbox</a>, <a href="#41">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="43"></a><a name="msg43"></a><a href="#43">Message #43</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=43">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=43">mbox</a>, <a href="mailto:375694@bugs.debian.org?body=On%20Mon%2C%2010%20Jul%202006%2014%3A41%3A23%20-0400%20%28EDT%29%20%22Steven%20M.%20Christey%22%20%3Ccoley%40linus.mitre.org%3E%20wrote%3A%0A%3E%20%0A%3E%20On%20Sun%2C%209%20Jul%202006%2C%20Moritz%20Muehlenhoff%20wrote%3A%0A%3E%20%0A%3E%20%3E%20%3E%20On%202006-07-04%20Christian%20Hammers%20wrote%3A%0A%3E%20%3E%20%3E%20%3E%20It%27s%20time%20for%20a%20new%20MySQL%20DSA%20%3A%29%20On%0A%3E%20%3E%20%3E%20%3E%20%20%20http%3A%2F%2Fwww.lathspell.de%2Flinux%2Fdebian%2Fmysql%2Fsarge-4.1%0A%3E%20%3E%20%3E%20%3E%20you%20find%20%2Asarge5.deb%20pacakges%20that%20fix%20the%20following%20two%20vulnerabilities%3A%0A%3E%20%3E%20%3E%20%3E%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%2A%20Fixed%20DoS%20bug%20where%20any%20user%20could%20crash%20the%20server%20with%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20%22SELECT%20str_to_date%281%2C%20NULL%29%3B%22%20%28CVE-2006-3081%29.%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20The%20vulnerability%20was%20discovered%20by%20Kanatoko%20%3Canvil%40jumperz.net%3E.%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20Closes%3A%20%23373913%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%2A%20Fixed%20DoS%20bug%20where%20any%20user%20could%20crash%20the%20server%20with%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20%22SELECT%20date_format%28%27%25d%25s%27%2C%201%29%3B%20%28CVE-2006-XXXX%29.%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20The%20vulnerability%20was%20discovered%20by%20Maillefer%20Jean-David%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20%3Cjean-david%40kesako.ch%3E%20and%20filed%20as%20MySQL%20bug%20%2320729.%0A%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20Closes%3A%20%23375694%0A%3E%20%0A%3E%20%0A%3E%20Use%20CVE-2006-3469%0A%3E%20%0A%3E%20Is%20this%20%22public%20enough%22%20for%20me%20to%20update%20the%20CVE%20descriptions%2C%20or%20should%20I%0A%3E%20leave%20them%20as%20reserved%20for%20now%3F%20%20CVE%20will%20probably%20be%20the%20first%20point%20of%0A%3E%20widespread%20disclosure.%0A%3E%20%0A%3E%20-%20Steve%0A%3E%20%0A%3E%20%0A&subject=Re%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%20bugs&In-Reply-To=%3CPine.GSO.4.51.0607101439430.16957%40faron.mitre.org%3E&References=%3C20060709193429.3caf8f2a%40app109.intern%3E%20%3C20060709212215.GA5259%40galadriel.inutil.org%3E%0A%20%3CPine.GSO.4.51.0607101439430.16957%40faron.mitre.org%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=coley%40linus.mitre.org" alt=""> <div class="header"><span class="headerfield">From:</span> "Steven M. Christey" <coley@linus.mitre.org></div> <div class="header"><span class="headerfield">To:</span> Moritz Muehlenhoff <jmm@inutil.org></div> <div class="header"><span class="headerfield">Cc:</span> Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Mon, 10 Jul 2006 14:41:23 -0400 (EDT)</div> </div> <pre class="message"> On Sun, 9 Jul 2006, Moritz Muehlenhoff wrote: > > On 2006-07-04 Christian Hammers wrote: > > > It's time for a new MySQL DSA :) On > > > <a href="http://www.lathspell.de/linux/debian/mysql/sarge-4.1">http://www.lathspell.de/linux/debian/mysql/sarge-4.1</a> > > > you find *sarge5.deb pacakges that fix the following two vulnerabilities: > > > > > > * Fixed DoS bug where any user could crash the server with > > > "SELECT str_to_date(1, NULL);" (<a href="https://security-tracker.debian.org/tracker/CVE-2006-3081">CVE-2006-3081</a>). > > > The vulnerability was discovered by Kanatoko <anvil@jumperz.net>. > > > Closes: #<a href="bugreport.cgi?bug=373913">373913</a> > > > * Fixed DoS bug where any user could crash the server with > > > "SELECT date_format('%d%s', 1); (CVE-2006-XXXX). > > > The vulnerability was discovered by Maillefer Jean-David > > > <jean-david@kesako.ch> and filed as MySQL bug #20729. > > > Closes: #<a href="bugreport.cgi?bug=375694">375694</a> Use <a href="https://security-tracker.debian.org/tracker/CVE-2006-3469">CVE-2006-3469</a> Is this "public enough" for me to update the CVE descriptions, or should I leave them as reserved for now? CVE will probably be the first point of widespread disclosure. - Steve </pre> <div class="infmessage"><hr><p> <a name="44"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=45">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=45">mbox</a>, <a href="#44">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="46"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=47">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=47">mbox</a>, <a href="#46">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="48"></a><a name="msg48"></a><a href="#48">Message #48</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=48">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=48">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060705092622.78579a0a%40xeniac.intern%3E%0A%09%3C20060705094838.GA17023%40serg.mylan%3E%0A%20%3C20060710205148.35211d04%40xeniac.intern%3E&body=On%20Mon%2C%2010%20Jul%202006%2020%3A51%3A48%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20Hello%0A%3E%20%0A%3E%20On%202006-07-05%20Sergei%20Golubchik%20wrote%3A%0A%3E%20%3E%20On%20Jul%2005%2C%20Christian%20Hammers%20wrote%3A%0A%3E%20%3E%20%3E%20Hello%20MySQL%20Security-Team%0A%3E%20%3E%20%3E%20%0A%3E%20%3E%20%3E%20Bug%20%2320729%20seems%20to%20be%20security%20relevant%20as%20it%20allowes%20crashing%20the%0A%3E%20%3E%20%3E%20complete%20server%20by%20any%20unprivileged%20user%20by%20issuing%20a%20simple%20query.%0A%3E%20%3E%20%0A%3E%20%3E%20Agree.%0A%3E%20Hm%2C%20the%20latest%204.1%20is%20vulnerable%2C%20do%20you%20consider%20the%20bug%20minor%20enough%0A%3E%20that%20we%20can%20release%20our%20security%20advisory%20or%20do%20you%20want%20us%20to%20hold%0A%3E%20it%20back%20some%20days%20%28not%20weeks%21%29%20so%20that%20you%20can%20release%20a%20new%20upstream%0A%3E%20version%3F%0A%3E%20%0A%3E%20%3E%20Ok%2C%20please%20tell%20us%20CVE%20number%20when%20you%27ll%20know%20it.%0A%3E%20%3E%20%28as%20usual%20%3A%29%0A%3E%20It%27s%20CVE-2006-3469%20%0A%3E%20%0A%3E%20%3E%20%3E%20%28and%20I%20would%20be%20happy%20if%20someone%20could%20confirm%20that%20my%20self%20written%0A%3E%20%3E%20%3E%20patch%20does%20no%20more%20harm%20than%20cure%20%3A%29%29%0A%3E%20%3E%20Done.%0A%3E%20Thanks%2C%20we%20use%20your%20patch%20now.%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A%3E%20%0A%3E%20%0A&subject=Re%3A%20Bug%23375694%3A%20Bug%20%2320729%20security%20relevant%3F&In-Reply-To=%3C20060710205148.35211d04%40xeniac.intern%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Cc:</span> security@mysql.com</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#375694: Bug #20729 security relevant?</div> <div class="header"><span class="headerfield">Date:</span> Mon, 10 Jul 2006 20:51:48 +0200</div> </div> <pre class="message">Hello On 2006-07-05 Sergei Golubchik wrote: > On Jul 05, Christian Hammers wrote: > > Hello MySQL Security-Team > > > > Bug #20729 seems to be security relevant as it allowes crashing the > > complete server by any unprivileged user by issuing a simple query. > > Agree. Hm, the latest 4.1 is vulnerable, do you consider the bug minor enough that we can release our security advisory or do you want us to hold it back some days (not weeks!) so that you can release a new upstream version? > Ok, please tell us CVE number when you'll know it. > (as usual :) It's <a href="https://security-tracker.debian.org/tracker/CVE-2006-3469">CVE-2006-3469</a> > > (and I would be happy if someone could confirm that my self written > > patch does no more harm than cure :)) > Done. Thanks, we use your patch now. bye, -christian- </pre> <div class="infmessage"><hr><p> <a name="49"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=50">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=50">mbox</a>, <a href="#49">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="51"></a> <strong>Acknowledgement sent</strong> to <code>Moritz Muehlenhoff <jmm@inutil.org></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Christian Hammers <ch@debian.org></code>. (<a href="bugreport.cgi?bug=375694;msg=52">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=52">mbox</a>, <a href="#51">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="53"></a><a name="msg53"></a><a href="#53">Message #53</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=53">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=53">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060709193429.3caf8f2a%40app109.intern%3E%20%3C20060709212215.GA5259%40galadriel.inutil.org%3E%20%3CPine.GSO.4.51.0607101439430.16957%40faron.mitre.org%3E%0A%20%3C20060710194905.GA32111%40galadriel.inutil.org%3E&body=On%20Mon%2C%2010%20Jul%202006%2021%3A49%3A05%20%2B0200%20Moritz%20Muehlenhoff%20%3Cjmm%40inutil.org%3E%20wrote%3A%0A%3E%20Steven%20M.%20Christey%20wrote%3A%0A%3E%20%3E%20%3E%20%3E%20%3E%20%20%20%20%2A%20Fixed%20DoS%20bug%20where%20any%20user%20could%20crash%20the%20server%20with%0A%3E%20%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20%22SELECT%20date_format%28%27%25d%25s%27%2C%201%29%3B%20%28CVE-2006-XXXX%29.%0A%3E%20%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20The%20vulnerability%20was%20discovered%20by%20Maillefer%20Jean-David%0A%3E%20%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20%3Cjean-david%40kesako.ch%3E%20and%20filed%20as%20MySQL%20bug%20%2320729.%0A%3E%20%3E%20%3E%20%3E%20%3E%20%20%20%20%20%20Closes%3A%20%23375694%0A%3E%20%0A%3E%20Package%20is%20pushed%20to%20the%20buildds.%0A%3E%20%20%0A%3E%20%3E%20Use%20CVE-2006-3469%0A%3E%20%3E%20%0A%3E%20%3E%20Is%20this%20%22public%20enough%22%20for%20me%20to%20update%20the%20CVE%20descriptions%2C%20or%20should%20I%0A%3E%20%3E%20leave%20them%20as%20reserved%20for%20now%3F%20%20CVE%20will%20probably%20be%20the%20first%20point%20of%0A%3E%20%3E%20widespread%20disclosure.%0A%3E%20%0A%3E%20Sure%2C%20please%20go%20ahead.%0A%3E%20%0A%3E%20Cheers%2C%0A%3E%20%20%20%20%20%20%20%20%20Moritz%0A%3E%20%0A%3E%20%0A&In-Reply-To=%3C20060710194905.GA32111%40galadriel.inutil.org%3E&subject=Re%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%20bugs">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=jmm%40inutil.org" alt=""> <div class="header"><span class="headerfield">From:</span> Moritz Muehlenhoff <jmm@inutil.org></div> <div class="header"><span class="headerfield">To:</span> "Steven M. Christey" <coley@linus.mitre.org></div> <div class="header"><span class="headerfield">Cc:</span> Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Mon, 10 Jul 2006 21:49:05 +0200</div> </div> <pre class="message">Steven M. Christey wrote: > > > > * Fixed DoS bug where any user could crash the server with > > > > "SELECT date_format('%d%s', 1); (CVE-2006-XXXX). > > > > The vulnerability was discovered by Maillefer Jean-David > > > > <jean-david@kesako.ch> and filed as MySQL bug #20729. > > > > Closes: #<a href="bugreport.cgi?bug=375694">375694</a> Package is pushed to the buildds. > Use <a href="https://security-tracker.debian.org/tracker/CVE-2006-3469">CVE-2006-3469</a> > > Is this "public enough" for me to update the CVE descriptions, or should I > leave them as reserved for now? CVE will probably be the first point of > widespread disclosure. Sure, please go ahead. Cheers, Moritz </pre> <div class="infmessage"><hr><p> <a name="54"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=55">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=55">mbox</a>, <a href="#54">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="56"></a> <strong>Acknowledgement sent</strong> to <code>"Steven M. Christey" <coley@linus.mitre.org></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Christian Hammers <ch@debian.org></code>. (<a href="bugreport.cgi?bug=375694;msg=57">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=57">mbox</a>, <a href="#56">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="58"></a><a name="msg58"></a><a href="#58">Message #58</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=58">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=58">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060709193429.3caf8f2a%40app109.intern%3E%20%3C20060709212215.GA5259%40galadriel.inutil.org%3E%0A%20%3CPine.GSO.4.51.0607101633160.16957%40faron.mitre.org%3E&body=On%20Mon%2C%2010%20Jul%202006%2016%3A38%3A22%20-0400%20%28EDT%29%20%22Steven%20M.%20Christey%22%20%3Ccoley%40linus.mitre.org%3E%20wrote%3A%0A%3E%20%0A%3E%20Speaking%20of%20MySQL%2C%20the%20following%20item%20recently%20showed%20up%20in%20an%20FrSIRT%0A%3E%20advisory.%20%20In%20light%20of%20last%20week%27s%20vendor-sec%20discussions%2C%20let%20me%20know%20if%0A%3E%20there%27s%20too%20much%20guesswork%20going%20on%20here%20%3A%29%0A%3E%20%0A%3E%20-%20Steve%0A%3E%20%0A%3E%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0A%3E%20Name%3A%20CVE-2006-3486%0A%3E%20Status%3A%20Candidate%0A%3E%20URL%3A%20http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2006-3486%0A%3E%20Acknowledged%3A%20yes%20changelog%0A%3E%20Announced%3A%2020060704%0A%3E%20Flaw%3A%20buf%0A%3E%20Reference%3A%20MISC%3Ahttp%3A%2F%2Fbugs.mysql.com%2Fbug.php%3Fid%3D20622%0A%3E%20Reference%3A%20CONFIRM%3Ahttp%3A%2F%2Fdev.mysql.com%2Fdoc%2Frefman%2F5.1%2Fen%2Fnews-5-1-12.html%0A%3E%20Reference%3A%20CONFIRM%3Ahttp%3A%2F%2Fdev.mysql.com%2Fdoc%2Frefman%2F5.0%2Fen%2Fnews-5-0-23.html%0A%3E%20Reference%3A%20FRSIRT%3AADV-2006-2700%0A%3E%20Reference%3A%20URL%3Ahttp%3A%2F%2Fwww.frsirt.com%2Fenglish%2Fadvisories%2F2006%2F2700%0A%3E%20%0A%3E%20Off-by-one%20buffer%20overflow%20in%20the%0A%3E%20Instance_options%3A%3Acomplete_initialization%20function%20in%0A%3E%20instance_options.cc%20in%20the%20Instance%20Manager%20in%20MySQL%20before%205.0.23%20and%0A%3E%205.1%20before%205.1.12%20might%20allow%20local%20users%20to%20cause%20a%20denial%20of%20service%0A%3E%20%28application%20crash%29%20via%20unspecified%20vectors%2C%20which%20triggers%20the%0A%3E%20overflow%20when%20the%20convert_dirname%20function%20is%20called.%0A%3E%20%0A%3E%20%0A%3E%20Analysis%3A%0A%3E%20ACKNOWLEDGEMENT%3A%20MySQL%205.0.23%20changelog%20%22%20A%20buffer%20overwrite%20error%20in%0A%3E%20Instance%20Manager%20caused%20a%20crash.%20%28Bug%2320622%29%22%0A%3E%20%0A%3E%20ACCURACY%3A%20it%20is%20not%20clear%20whether%20this%20is%20security-relevant%2C%20as%20the%0A%3E%20input%20vectors%20are%20unknown.%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20%0A&In-Reply-To=%3CPine.GSO.4.51.0607101633160.16957%40faron.mitre.org%3E&subject=Re%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%20bugs">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=coley%40linus.mitre.org" alt=""> <div class="header"><span class="headerfield">From:</span> "Steven M. Christey" <coley@linus.mitre.org></div> <div class="header"><span class="headerfield">To:</span> Moritz Muehlenhoff <jmm@inutil.org></div> <div class="header"><span class="headerfield">Cc:</span> Christian Hammers <ch@debian.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org, coley@linus.mitre.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Mon, 10 Jul 2006 16:38:22 -0400 (EDT)</div> </div> <pre class="message"> Speaking of MySQL, the following item recently showed up in an FrSIRT advisory. In light of last week's vendor-sec discussions, let me know if there's too much guesswork going on here :) - Steve ====================================================== Name: <a href="https://security-tracker.debian.org/tracker/CVE-2006-3486">CVE-2006-3486</a> Status: Candidate URL: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486</a> Acknowledged: yes changelog Announced: 20060704 Flaw: buf Reference: MISC:<a href="http://bugs.mysql.com/bug.php?id=20622">http://bugs.mysql.com/bug.php?id=20622</a> Reference: CONFIRM:<a href="http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html">http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html</a> Reference: CONFIRM:<a href="http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html">http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html</a> Reference: FRSIRT:ADV-2006-2700 Reference: URL:<a href="http://www.frsirt.com/english/advisories/2006/2700">http://www.frsirt.com/english/advisories/2006/2700</a> Off-by-one buffer overflow in the Instance_options::complete_initialization function in instance_options.cc in the Instance Manager in MySQL before 5.0.23 and 5.1 before 5.1.12 might allow local users to cause a denial of service (application crash) via unspecified vectors, which triggers the overflow when the convert_dirname function is called. Analysis: ACKNOWLEDGEMENT: MySQL 5.0.23 changelog " A buffer overwrite error in Instance Manager caused a crash. (Bug#20622)" ACCURACY: it is not clear whether this is security-relevant, as the input vectors are unknown. </pre> <div class="infmessage"><hr><p> <a name="59"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=60">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=60">mbox</a>, <a href="#59">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="61"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=62">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=62">mbox</a>, <a href="#61">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="63"></a><a name="msg63"></a><a href="#63">Message #63</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=63">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=63">mbox</a>, <a href="mailto:375694@bugs.debian.org?body=On%20Tue%2C%2011%20Jul%202006%2000%3A07%3A18%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20%0A%3E%20%0A%3E%20On%202006-07-10%20Steven%20M.%20Christey%20wrote%3A%0A%3E%20%3E%20Speaking%20of%20MySQL%2C%20the%20following%20item%20recently%20showed%20up%20in%20an%20FrSIRT%0A%3E%20%3E%20advisory.%20%20In%20light%20of%20last%20week%27s%20vendor-sec%20discussions%2C%20let%20me%20know%20if%0A%3E%20%3E%20there%27s%20too%20much%20guesswork%20going%20on%20here%20%3A%29%0A%3E%20%0A%3E%20I%20asked%20FrSIRT%20and%20MySQL%20if%20they%20have%20more%20information%2C%20and%20report%20back%20if%20I%0A%3E%20get%20any%20news.%0A%3E%20%0A%3E%20Debian%3A%20MySQL%20versions%203.23%2C%204.0%20and%204.1%20are%20not%20affected%20as%20they%20did%20not%0A%3E%20have%20the%20file%20in%20question.%205.0%20%28etch%2Fsid-only%29%20is%20currently%20beeing%20built%0A%3E%20%28it%27s%20on%20the%20ftp%20servers%20since%20days%20but%20not%20yet%20officially%20announced%20nor%0A%3E%20linked%20on%20the%20web%20page%2C%20strange%20releases%20they%20made%20%3A%29%29%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A%3E%20%0A%3E%20%0A%3E%20%0A&subject=Re%3A%20Bug%23375694%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%0A%20bugs&In-Reply-To=%3C20060711000718.5fba0620%40app109.intern%3E&References=%3C20060709193429.3caf8f2a%40app109.intern%3E%0A%09%3C20060709212215.GA5259%40galadriel.inutil.org%3E%0A%09%3CPine.GSO.4.51.0607101633160.16957%40faron.mitre.org%3E%0A%20%3C20060711000718.5fba0620%40app109.intern%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> "Steven M. Christey" <coley@linus.mitre.org>, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Cc:</span> Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#375694: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Tue, 11 Jul 2006 00:07:18 +0200</div> </div> <pre class="message"> On 2006-07-10 Steven M. Christey wrote: > Speaking of MySQL, the following item recently showed up in an FrSIRT > advisory. In light of last week's vendor-sec discussions, let me know if > there's too much guesswork going on here :) I asked FrSIRT and MySQL if they have more information, and report back if I get any news. Debian: MySQL versions 3.23, 4.0 and 4.1 are not affected as they did not have the file in question. 5.0 (etch/sid-only) is currently beeing built (it's on the ftp servers since days but not yet officially announced nor linked on the web page, strange releases they made :)) bye, -christian- </pre> <div class="infmessage"><hr><p> <a name="64"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=65">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=65">mbox</a>, <a href="#64">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="66"></a> <strong>Acknowledgement sent</strong> to <code>Lenz Grimmer <lenz@mysql.com></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Christian Hammers <ch@debian.org></code>. (<a href="bugreport.cgi?bug=375694;msg=67">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=67">mbox</a>, <a href="#66">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="68"></a><a name="msg68"></a><a href="#68">Message #68</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=68">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=68">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060705092622.78579a0a%40xeniac.intern%3E%20%3C20060705094838.GA17023%40serg.mylan%3E%0A%20%3C20060710205148.35211d04%40xeniac.intern%3E%0A%20%3CPine.LNX.4.64.0607111805070.31317%40metis.lenznet%3E&body=On%20Tue%2C%2011%20Jul%202006%2018%3A07%3A39%20%2B0200%20%28CEST%29%20Lenz%20Grimmer%20%3Clenz%40mysql.com%3E%20wrote%3A%0A%3E%20-----BEGIN%20PGP%20SIGNED%20MESSAGE-----%0A%3E%20Hash%3A%20SHA1%0A%3E%20%0A%3E%20Hi%20Christian%2C%0A%3E%20%0A%3E%20On%20Mon%2C%2010%20Jul%202006%2C%20Christian%20Hammers%20wrote%3A%0A%3E%20%0A%3E%20%3E%20Hm%2C%20the%20latest%204.1%20is%20vulnerable%2C%20do%20you%20consider%20the%20bug%20minor%20enough%20that%0A%3E%20%3E%20we%20can%20release%20our%20security%20advisory%20or%20do%20you%20want%20us%20to%20hold%20it%20back%20some%0A%3E%20%3E%20days%20%28not%20weeks%21%29%20so%20that%20you%20can%20release%20a%20new%20upstream%20version%3F%0A%3E%20%0A%3E%20Sergei%20is%20currently%20on%20vacation%20-%20I%20am%20going%20to%20find%20out%20how%20we%20are%20going%20to%0A%3E%20handle%20this%20one.%20I%20think%20a%20flaw%20that%20allows%20a%20regular%20user%20to%20crash%20the%0A%3E%20server%20is%20important%20enough%20to%20be%20fixed%20quickly.%0A%3E%20%0A%3E%20%3E%20%3E%20Ok%2C%20please%20tell%20us%20CVE%20number%20when%20you%27ll%20know%20it.%0A%3E%20%3E%20%3E%20%28as%20usual%20%3A%29%0A%3E%20%3E%20It%27s%20CVE-2006-3469%20%0A%3E%20%0A%3E%20Hmm%2C%20http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2006-3469%20tells%20me%20%0A%3E%20it%27s%20not%20found%3F%0A%3E%20%0A%3E%20%3E%20%3E%20%3E%20%28and%20I%20would%20be%20happy%20if%20someone%20could%20confirm%20that%20my%20self%20written%0A%3E%20%3E%20%3E%20%3E%20patch%20does%20no%20more%20harm%20than%20cure%20%3A%29%29%0A%3E%20%3E%20%3E%20Done.%0A%3E%20%3E%20Thanks%2C%20we%20use%20your%20patch%20now.%0A%3E%20%0A%3E%20Bye%2C%0A%3E%20%09LenZ%0A%3E%20-%20--%20%0A%3E%20%20Lenz%20Grimmer%20%3Clenz%40mysql.com%3E%0A%3E%20%20Community%20Relations%20Manager%2C%20EMEA%0A%3E%20%20MySQL%20GmbH%2C%20http%3A%2F%2Fwww.mysql.de%2F%2C%20Hamburg%2C%20Germany%0A%3E%20%20Visit%20the%20MySQL%20Forge%20at%20http%3A%2F%2Fforge.mysql.com%2F%0A%3E%20-----BEGIN%20PGP%20SIGNATURE-----%0A%3E%20Version%3A%20GnuPG%20v1.4.2%20%28GNU%2FLinux%29%0A%3E%20Comment%3A%20For%20info%20see%20http%3A%2F%2Fquantumlab.net%2Fpine_privacy_guard%2F%0A%3E%20%0A%3E%20iD8DBQFEs8zNSVDhKrJykfIRArDNAJ41CaXBfZUZ1rRV09DrEArZ%2Bkp%2FOwCdGjbP%0A%3E%20MoqbbkxH6My7c6IVZPS15Fc%3D%0A%3E%20%3DZ9uH%0A%3E%20-----END%20PGP%20SIGNATURE-----%0A%3E%20%0A%3E%20%0A&subject=Re%3A%20Bug%23375694%3A%20Bug%20%2320729%20security%20relevant%3F&In-Reply-To=%3CPine.LNX.4.64.0607111805070.31317%40metis.lenznet%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=lenz%40mysql.com" alt=""> <div class="header"><span class="headerfield">From:</span> Lenz Grimmer <lenz@mysql.com></div> <div class="header"><span class="headerfield">To:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">Cc:</span> Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org, security@mysql.com</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#375694: Bug #20729 security relevant?</div> <div class="header"><span class="headerfield">Date:</span> Tue, 11 Jul 2006 18:07:39 +0200 (CEST)</div> </div> <pre class="message">-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Christian, On Mon, 10 Jul 2006, Christian Hammers wrote: > Hm, the latest 4.1 is vulnerable, do you consider the bug minor enough that > we can release our security advisory or do you want us to hold it back some > days (not weeks!) so that you can release a new upstream version? Sergei is currently on vacation - I am going to find out how we are going to handle this one. I think a flaw that allows a regular user to crash the server is important enough to be fixed quickly. > > Ok, please tell us CVE number when you'll know it. > > (as usual :) > It's <a href="https://security-tracker.debian.org/tracker/CVE-2006-3469">CVE-2006-3469</a> Hmm, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469</a> tells me it's not found? > > > (and I would be happy if someone could confirm that my self written > > > patch does no more harm than cure :)) > > Done. > Thanks, we use your patch now. Bye, LenZ - -- Lenz Grimmer <lenz@mysql.com> Community Relations Manager, EMEA MySQL GmbH, <a href="http://www.mysql.de/">http://www.mysql.de/</a>, Hamburg, Germany Visit the MySQL Forge at <a href="http://forge.mysql.com/">http://forge.mysql.com/</a> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see <a href="http://quantumlab.net/pine_privacy_guard/">http://quantumlab.net/pine_privacy_guard/</a> iD8DBQFEs8zNSVDhKrJykfIRArDNAJ41CaXBfZUZ1rRV09DrEArZ+kp/OwCdGjbP MoqbbkxH6My7c6IVZPS15Fc= =Z9uH -----END PGP SIGNATURE----- </pre> <div class="infmessage"><hr><p> <a name="69"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=70">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=70">mbox</a>, <a href="#69">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="71"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=72">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=72">mbox</a>, <a href="#71">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="73"></a><a name="msg73"></a><a href="#73">Message #73</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=73">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=73">mbox</a>, <a href="mailto:375694@bugs.debian.org?body=On%20Tue%2C%2011%20Jul%202006%2018%3A26%3A26%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20%0A%3E%20%0A%3E%20On%202006-07-11%20Lenz%20Grimmer%20wrote%3A%0A%3E%20%3E%20%3E%20Hm%2C%20the%20latest%204.1%20is%20vulnerable%2C%20do%20you%20consider%20the%20bug%20minor%20enough%20that%0A%3E%20%3E%20%3E%20we%20can%20release%20our%20security%20advisory%20or%20do%20you%20want%20us%20to%20hold%20it%20back%20some%0A%3E%20%3E%20%3E%20days%20%28not%20weeks%21%29%20so%20that%20you%20can%20release%20a%20new%20upstream%20version%3F%0A%3E%20%3E%20%0A%3E%20%3E%20Sergei%20is%20currently%20on%20vacation%20-%20I%20am%20going%20to%20find%20out%20how%20we%20are%20going%0A%3E%20%3E%20to%20handle%20this%20one.%20I%20think%20a%20flaw%20that%20allows%20a%20regular%20user%20to%20crash%20the%0A%3E%20%3E%20server%20is%20important%20enough%20to%20be%20fixed%20quickly.%0A%3E%20Ok%2C%20our%20upgrade%20packages%20are%20currently%20building%20and%20will%20be%20published%0A%3E%20in%20the%20next%201-2%20days..%0A%3E%20%20%0A%3E%20%3E%20%3E%20%3E%20Ok%2C%20please%20tell%20us%20CVE%20number%20when%20you%27ll%20know%20it.%0A%3E%20%3E%20%3E%20%3E%20%28as%20usual%20%3A%29%0A%3E%20%3E%20%3E%20It%27s%20CVE-2006-3469%20%0A%3E%20%3E%20%0A%3E%20%3E%20Hmm%2C%20http%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2006-3469%20tells%20me%20%0A%3E%20%3E%20it%27s%20not%20found%3F%0A%3E%20It%20has%20been%20registered%20yesterday%20and%20the%20guy%20from%20mitre%20wasn%27t%20sure%20if%20he%0A%3E%20should%20make%20it%20public%20yet%20as%20there%20is%20no%20new%20mysql%20upstream%20version%20yet.%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A%3E%20%0A%3E%20%0A&In-Reply-To=%3C20060711182626.13423972%40xeniac.intern%3E&subject=Re%3A%20Bug%23375694%3A%20Bug%20%2320729%20security%20relevant%3F&References=%3C20060705092622.78579a0a%40xeniac.intern%3E%0A%09%3C20060705094838.GA17023%40serg.mylan%3E%0A%09%3C20060710205148.35211d04%40xeniac.intern%3E%0A%09%3CPine.LNX.4.64.0607111805070.31317%40metis.lenznet%3E%0A%20%3C20060711182626.13423972%40xeniac.intern%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> Lenz Grimmer <lenz@mysql.com></div> <div class="header"><span class="headerfield">Cc:</span> Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org, security@mysql.com</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#375694: Bug #20729 security relevant?</div> <div class="header"><span class="headerfield">Date:</span> Tue, 11 Jul 2006 18:26:26 +0200</div> </div> <pre class="message"> On 2006-07-11 Lenz Grimmer wrote: > > Hm, the latest 4.1 is vulnerable, do you consider the bug minor enough that > > we can release our security advisory or do you want us to hold it back some > > days (not weeks!) so that you can release a new upstream version? > > Sergei is currently on vacation - I am going to find out how we are going > to handle this one. I think a flaw that allows a regular user to crash the > server is important enough to be fixed quickly. Ok, our upgrade packages are currently building and will be published in the next 1-2 days.. > > > Ok, please tell us CVE number when you'll know it. > > > (as usual :) > > It's <a href="https://security-tracker.debian.org/tracker/CVE-2006-3469">CVE-2006-3469</a> > > Hmm, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469</a> tells me > it's not found? It has been registered yesterday and the guy from mitre wasn't sure if he should make it public yet as there is no new mysql upstream version yet. bye, -christian- </pre> <div class="infmessage"><hr><p> <a name="74"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=75">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=75">mbox</a>, <a href="#74">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="76"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=77">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=77">mbox</a>, <a href="#76">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="78"></a><a name="msg78"></a><a href="#78">Message #78</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=78">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=78">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060711205020.64dd7f94%40app109.intern%3E&In-Reply-To=%3C20060711205020.64dd7f94%40app109.intern%3E&subject=Re%3A%20Bug%23373913%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%0A%20bugs&body=On%20Tue%2C%2011%20Jul%202006%2020%3A50%3A20%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20Hello%20Moritz%20%26%20Co%0A%3E%20%0A%3E%20Attached%20is%20a%20mail%20from%20mysql.%20It%20seems%20to%20be%20ok%20for%20them%20if%20we%20release%20our%0A%3E%20patch%20even%20if%20they%20need%20another%20week%20to%20release%20a%20new%204.1%20version.%0A%3E%20%28I%20reported%20it%20on%20Jun%2027%20and%20they%20provided%20me%20a%20fix%20on%20Jul%205%20so%20I%20guess%0A%3E%20we%20gave%20them%20time%20enough%2C%20given%20that%20the%20bug%20was%20public%20in%20the%20BTS%29%0A%3E%20%0A%3E%20So%20go%20ahead%21%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> team@security.debian.org</div> <div class="header"><span class="headerfield">Cc:</span> Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Tue, 11 Jul 2006 20:50:20 +0200</div> </div> <pre class="mime">[<a href="bugreport.cgi?att=0;bug=375694;msg=78">Message part 1</a> (text/plain, inline)]</pre> <pre class="message">Hello Moritz & Co Attached is a mail from mysql. It seems to be ok for them if we release our patch even if they need another week to release a new 4.1 version. (I reported it on Jun 27 and they provided me a fix on Jul 5 so I guess we gave them time enough, given that the bug was public in the BTS) So go ahead! bye, -christian- </pre> <pre class="mime">[<a href="bugreport.cgi?att=1;bug=375694;msg=78">Message part 2</a> (message/rfc822, inline)]</pre> <blockquote> <div class="headers"> </div> <pre class="message">ql.com) by master.debian.org with esmtp (Exim 4.50) id 1G0MQ5-00035q-5u for ch@lathspell.de; Tue, 11 Jul 2006 12:53:13 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by mailgate.mysql.com (8.13.4/8.13.4) with ESMTP id k6BHr0Dp019879; Tue, 11 Jul 2006 19:53:00 +0200 Received: from mail.mysql.com ([10.222.1.99]) by localhost (mailgate.mysql.com [10.222.1.98]) (amavisd-new, port 10026) with LMTP id 15497-05; Tue, 11 Jul 2006 19:53:00 +0200 (CEST) Received: from metis.lenznet (10-100-68-2.mysql.internal [10.100.68.2]) (authenticated bits=3D0) by mail.mysql.com (8.13.3/8.13.3) with ESMTP id k6BHqtSg016292 (version=3DTLSv1/SSLv3 cipher=3DDHE-RSA-AES256-SHA bits=3D256 verify=3DNO); Tue, 11 Jul 2006 19:52:56 +0200 Received: from localhost (localhost [127.0.0.1]) by metis.lenznet (Postfix) with ESMTP id C58C43298B; Tue, 11 Jul 2006 19:51:58 +0200 (CEST) Date: Tue, 11 Jul 2006 19:51:56 +0200 (CEST) From: Lenz Grimmer <lenz@mysql.com> X-X-Sender: lenz@metis.lenznet To: Christian Hammers <ch@debian.org> Cc: Sergei Golubchik <serg@mysql.com>, 375694@bugs.debian.org, security@mysql.com, Chad Miller <cmiller@mysql.com> Subject: Re: Bug#375694: Bug #20729 security relevant? In-Reply-To: <20060711182626.13423972@xeniac.intern> Message-ID: <Pine.LNX.4.64.0607111944410.31317@metis.lenznet> References: <20060705092622.78579a0a@xeniac.intern> <20060705094838.GA17023= @serg.mylan> <20060710205148.35211d04@xeniac.intern> <Pine.LNX.4.64.0607111805070.31317= @metis.lenznet> <20060711182626.13423972@xeniac.intern> X-Virus-Scanned: by amavisd-new at mailgate.mysql.com X-Spam-Status: No, hits=3D0.1 tagged_above=3D-999.0 required=3D5.0 tests=3D= AWL, FORGED_RCVD_HELO X-Spam-Level:=20 Mime-Version: 1.0 Content-Type: text/PLAIN; charset=3DUS-ASCII -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Christian, On Tue, 11 Jul 2006, Christian Hammers wrote: > On 2006-07-11 Lenz Grimmer wrote: > > > Hm, the latest 4.1 is vulnerable, do you consider the bug minor enoug= h that > > > we can release our security advisory or do you want us to hold it bac= k some > > > days (not weeks!) so that you can release a new upstream version? > >=20 > > Sergei is currently on vacation - I am going to find out how we are goi= ng > > to handle this one. I think a flaw that allows a regular user to crash = the > > server is important enough to be fixed quickly. > > Ok, our upgrade packages are currently building and will be published in = the > next 1-2 days.. OK. Chad (copied on this message - he's a Debian Dev, too, by the way) will apply the patch to the 4.1 tree ASAP, hopefully today. We are currently loo= king into how to schedule a new 4.1 release for that. We may be able to kick off= the builds this week, but it may take up to next week before the release will be published. > > > > Ok, please tell us CVE number when you'll know it. > > > > (as usual :) > > > It's <a href="https://security-tracker.debian.org/tracker/CVE-2006-3469">CVE-2006-3469</a>=20 > >=20 > > Hmm, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-3469">http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-3469</a> tell= s me=20 > > it's not found? > > It has been registered yesterday and the guy from mitre wasn't sure if he > should make it public yet as there is no new mysql upstream version yet. Thanks for the info! Chad, please make sure to add that reference to the bug report, before you assign it to docs. Thanks! Bye, LenZ - --=20 Lenz Grimmer <lenz@mysql.com> Community Relations Manager, EMEA MySQL GmbH, <a href="http://www.mysql.de/">http://www.mysql.de/</a>, Hamburg, Germany Visit the MySQL Forge at <a href="http://forge.mysql.com/">http://forge.mysql.com/</a> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see <a href="http://quantumlab.net/pine_privacy_guard/">http://quantumlab.net/pine_privacy_guard/</a> iD8DBQFEs+U+SVDhKrJykfIRAlT4AJ9lCnu+tk202+/0/AAWuZl6svN/CgCaAwQM FKEF30eyuaDZfmMLaB0ckvM=3D =3D6Aaz -----END PGP SIGNATURE----- </pre> </blockquote> <div class="infmessage"><hr><p> <a name="79"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org></code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=80">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=80">mbox</a>, <a href="#79">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="81"></a> <strong>Acknowledgement sent</strong> to <code>Moritz Muehlenhoff <jmm@inutil.org></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Christian Hammers <ch@debian.org></code>. (<a href="bugreport.cgi?bug=375694;msg=82">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=82">mbox</a>, <a href="#81">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="83"></a><a name="msg83"></a><a href="#83">Message #83</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=83">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=83">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060711205020.64dd7f94%40app109.intern%3E%0A%20%3C20060711224701.GA5239%40galadriel.inutil.org%3E&subject=Re%3A%20Bug%23373913%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%20bugs&In-Reply-To=%3C20060711224701.GA5239%40galadriel.inutil.org%3E&body=On%20Wed%2C%2012%20Jul%202006%2000%3A47%3A01%20%2B0200%20Moritz%20Muehlenhoff%20%3Cjmm%40inutil.org%3E%20wrote%3A%0A%3E%20Christian%20Hammers%20wrote%3A%0A%3E%20%3E%20Hello%20Moritz%20%26%20Co%0A%3E%20%3E%20%0A%3E%20%3E%20Attached%20is%20a%20mail%20from%20mysql.%20It%20seems%20to%20be%20ok%20for%20them%20if%20we%20release%20our%0A%3E%20%3E%20patch%20even%20if%20they%20need%20another%20week%20to%20release%20a%20new%204.1%20version.%0A%3E%20%3E%20%28I%20reported%20it%20on%20Jun%2027%20and%20they%20provided%20me%20a%20fix%20on%20Jul%205%20so%20I%20guess%0A%3E%20%3E%20we%20gave%20them%20time%20enough%2C%20given%20that%20the%20bug%20was%20public%20in%20the%20BTS%29%0A%3E%20%3E%20%0A%3E%20%3E%20So%20go%20ahead%21%0A%3E%20%0A%3E%20Ok%2C%20will%20push%20it%20out%20once%20all%20builds%20are%20available%3A%0A%3E%20The%20arm%20buildd%20seems%20currently%20down%20and%20the%20m68k%20ran%20out%20of%20diskspace%20%28only%0A%3E%2010%20megabytes%20available%29%2C%20so%20it%20might%20take%20a%20few%20more%20days.%0A%3E%20%0A%3E%20Cheers%2C%0A%3E%20%20%20%20%20%20%20%20%20Moritz%0A%3E%20%0A%3E%20%0A">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=jmm%40inutil.org" alt=""> <div class="header"><span class="headerfield">From:</span> Moritz Muehlenhoff <jmm@inutil.org></div> <div class="header"><span class="headerfield">To:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">Cc:</span> team@security.debian.org, Sean Finney <seanius@debian.org>, 373913@bugs.debian.org, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Wed, 12 Jul 2006 00:47:01 +0200</div> </div> <pre class="message">Christian Hammers wrote: > Hello Moritz & Co > > Attached is a mail from mysql. It seems to be ok for them if we release our > patch even if they need another week to release a new 4.1 version. > (I reported it on Jun 27 and they provided me a fix on Jul 5 so I guess > we gave them time enough, given that the bug was public in the BTS) > > So go ahead! Ok, will push it out once all builds are available: The arm buildd seems currently down and the m68k ran out of diskspace (only 10 megabytes available), so it might take a few more days. Cheers, Moritz </pre> <div class="infmessage"><hr><p> <a name="84"></a> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org</code>:<br> <code>Bug#375694</code>; Package <code>mysql-server-4.1</code>. (<a href="bugreport.cgi?bug=375694;msg=85">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=85">mbox</a>, <a href="#84">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="86"></a> <strong>Acknowledgement sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> Extra info received and forwarded to list. (<a href="bugreport.cgi?bug=375694;msg=87">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=87">mbox</a>, <a href="#86">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="88"></a><a name="msg88"></a><a href="#88">Message #88</a> received at 375694@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=88">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=88">mbox</a>, <a href="mailto:375694@bugs.debian.org?body=On%20Sat%2C%2015%20Jul%202006%2020%3A05%3A21%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20Hello%20Moritz%0A%3E%20%0A%3E%20Any%20news%20regarding%20the%20DSA%20announcement%20of%20these%20two%20packages%3F%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A%3E%20%0A%3E%20%0A&In-Reply-To=%3C20060715200521.7501e16d%40app109.intern%3E&subject=Re%3A%20Bug%23373913%3A%20Status%20of%20last%20two%2C%20not%20yet%20DSA%27d%2C%20MySQL%20security%0A%20bugs&References=%3C20060709193429.3caf8f2a%40app109.intern%3E%0A%09%3C20060709212215.GA5259%40galadriel.inutil.org%3E%0A%09%3CPine.GSO.4.51.0607101439430.16957%40faron.mitre.org%3E%0A%09%3C20060710194905.GA32111%40galadriel.inutil.org%3E%0A%20%3C20060715200521.7501e16d%40app109.intern%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> Moritz Muehlenhoff <jmm@inutil.org></div> <div class="header"><span class="headerfield">Cc:</span> 373913@bugs.debian.org, team@security.debian.org, Sean Finney <seanius@debian.org>, 375694@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: Bug#373913: Status of last two, not yet DSA'd, MySQL security bugs</div> <div class="header"><span class="headerfield">Date:</span> Sat, 15 Jul 2006 20:05:21 +0200</div> </div> <pre class="message wrapping">Hello Moritz Any news regarding the DSA announcement of these two packages? bye, -christian- </pre> <div class="msgreceived"><hr><p> <a name="89"></a> <strong>Reply sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> You have taken responsibility. (<a href="bugreport.cgi?bug=375694;msg=90">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=90">mbox</a>, <a href="#89">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="91"></a> <strong>Notification sent</strong> to <code>Maillefer Jean-David <jean-david@kesako.ch></code>:<br> Bug acknowledged by developer. (<a href="bugreport.cgi?bug=375694;msg=92">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=92">mbox</a>, <a href="#91">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="93"></a><a name="msg93"></a><a href="#93">Message #93</a> received at 375694-done@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=93">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=93">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3C20060722105303.GD12305%40lathspell.de%3E&body=On%20Sat%2C%2022%20Jul%202006%2012%3A53%3A03%20%2B0200%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20I%27m%20closing%20this%20bug%20report%20as%20it%20was%20not%20automatically%20done%0A%3E%20by%20the%20Debian%20Security%20Announcement%20that%20fixed%20it%3A%0A%3E%20http%3A%2F%2Fwww.debian.org%2Fsecurity%2F2006%2Fdsa-1112%0A%3E%20%0A%3E%20bye%2C%0A%3E%20%0A%3E%20-christian-%0A%3E%20%0A%3E%20%0A%3E%20%0A&subject=Re%3A%20SECURITY%3A%20date_format%28%27%25d%25s%27%2C%201%29%20crashs%20server&In-Reply-To=%3C20060722105303.GD12305%40lathspell.de%3E">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> 375694-done@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: SECURITY: date_format('%d%s', 1) crashs server</div> <div class="header"><span class="headerfield">Date:</span> Sat, 22 Jul 2006 12:53:03 +0200</div> </div> <pre class="message">I'm closing this bug report as it was not automatically done by the Debian Security Announcement that fixed it: <a href="http://www.debian.org/security/2006/dsa-1112">http://www.debian.org/security/2006/dsa-1112</a> bye, -christian- </pre> <div class="msgreceived"><hr><p> <a name="94"></a> <strong>Reply sent</strong> to <code>Christian Hammers <ch@debian.org></code>:<br> You have taken responsibility. (<a href="bugreport.cgi?bug=375694;msg=95">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=95">mbox</a>, <a href="#94">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="96"></a> <strong>Notification sent</strong> to <code>Maillefer Jean-David <jean-david@kesako.ch></code>:<br> Bug acknowledged by developer. (<a href="bugreport.cgi?bug=375694;msg=97">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=97">mbox</a>, <a href="#96">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="98"></a><a name="msg98"></a><a href="#98">Message #98</a> received at 375694-close@bugs.debian.org (<a href="bugreport.cgi?bug=375694;msg=98">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=98">mbox</a>, <a href="mailto:375694@bugs.debian.org?References=%3CE1GIffy-00063h-Nj%40spohr.debian.org%3E&subject=Re%3A%20Bug%23375694%3A%20fixed%20in%20mysql-dfsg-4.1%204.1.11a-4sarge5&In-Reply-To=%3CE1GIffy-00063h-Nj%40spohr.debian.org%3E&body=On%20Wed%2C%2030%20Aug%202006%2023%3A05%3A18%20-0700%20Christian%20Hammers%20%3Cch%40debian.org%3E%20wrote%3A%0A%3E%20Source%3A%20mysql-dfsg-4.1%0A%3E%20Source-Version%3A%204.1.11a-4sarge5%0A%3E%20%0A%3E%20We%20believe%20that%20the%20bug%20you%20reported%20is%20fixed%20in%20the%20latest%20version%20of%0A%3E%20mysql-dfsg-4.1%2C%20which%20is%20due%20to%20be%20installed%20in%20the%20Debian%20FTP%20archive%3A%0A%3E%20%0A%3E%20libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb%0A%3E%20%20%20to%20pool%2Fmain%2Fm%2Fmysql-dfsg-4.1%2Flibmysqlclient14-dev_4.1.11a-4sarge5_i386.deb%0A%3E%20libmysqlclient14_4.1.11a-4sarge5_i386.deb%0A%3E%20%20%20to%20pool%2Fmain%2Fm%2Fmysql-dfsg-4.1%2Flibmysqlclient14_4.1.11a-4sarge5_i386.deb%0A%3E%20mysql-client-4.1_4.1.11a-4sarge5_i386.deb%0A%3E%20%20%20to%20pool%2Fmain%2Fm%2Fmysql-dfsg-4.1%2Fmysql-client-4.1_4.1.11a-4sarge5_i386.deb%0A%3E%20mysql-common-4.1_4.1.11a-4sarge5_all.deb%0A%3E%20%20%20to%20pool%2Fmain%2Fm%2Fmysql-dfsg-4.1%2Fmysql-common-4.1_4.1.11a-4sarge5_all.deb%0A%3E%20mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz%0A%3E%20%20%20to%20pool%2Fmain%2Fm%2Fmysql-dfsg-4.1%2Fmysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz%0A%3E%20mysql-dfsg-4.1_4.1.11a-4sarge5.dsc%0A%3E%20%20%20to%20pool%2Fmain%2Fm%2Fmysql-dfsg-4.1%2Fmysql-dfsg-4.1_4.1.11a-4sarge5.dsc%0A%3E%20mysql-server-4.1_4.1.11a-4sarge5_i386.deb%0A%3E%20%20%20to%20pool%2Fmain%2Fm%2Fmysql-dfsg-4.1%2Fmysql-server-4.1_4.1.11a-4sarge5_i386.deb%0A%3E%20%0A%3E%20%0A%3E%20%0A%3E%20A%20summary%20of%20the%20changes%20between%20this%20version%20and%20the%20previous%20one%20is%0A%3E%20attached.%0A%3E%20%0A%3E%20Thank%20you%20for%20reporting%20the%20bug%2C%20which%20will%20now%20be%20closed.%20%20If%20you%0A%3E%20have%20further%20comments%20please%20address%20them%20to%20375694%40bugs.debian.org%2C%0A%3E%20and%20the%20maintainer%20will%20reopen%20the%20bug%20report%20if%20appropriate.%0A%3E%20%0A%3E%20Debian%20distribution%20maintenance%20software%0A%3E%20pp.%0A%3E%20Christian%20Hammers%20%3Cch%40debian.org%3E%20%28supplier%20of%20updated%20mysql-dfsg-4.1%20package%29%0A%3E%20%0A%3E%20%28This%20message%20was%20generated%20automatically%20at%20their%20request%3B%20if%20you%0A%3E%20believe%20that%20there%20is%20a%20problem%20with%20it%20please%20contact%20the%20archive%0A%3E%20administrators%20by%20mailing%20ftpmaster%40debian.org%29%0A%3E%20%0A%3E%20%0A%3E%20-----BEGIN%20PGP%20SIGNED%20MESSAGE-----%0A%3E%20Hash%3A%20SHA1%0A%3E%20%0A%3E%20Format%3A%201.7%0A%3E%20Date%3A%20Fri%2C%2016%20Jun%202006%2009%3A52%3A12%20%2B0000%0A%3E%20Source%3A%20mysql-dfsg-4.1%0A%3E%20Binary%3A%20libmysqlclient14-dev%20mysql-common-4.1%20libmysqlclient14%20mysql-server-4.1%20mysql-client-4.1%0A%3E%20Architecture%3A%20source%20i386%20all%0A%3E%20Version%3A%204.1.11a-4sarge5%0A%3E%20Distribution%3A%20stable-security%0A%3E%20Urgency%3A%20low%0A%3E%20Maintainer%3A%20Christian%20Hammers%20%3Cch%40debian.org%3E%0A%3E%20Changed-By%3A%20Christian%20Hammers%20%3Cch%40debian.org%3E%0A%3E%20Description%3A%20%0A%3E%20%20libmysqlclient14%20-%20mysql%20database%20client%20library%0A%3E%20%20libmysqlclient14-dev%20-%20mysql%20database%20development%20files%0A%3E%20%20mysql-client-4.1%20-%20mysql%20database%20client%20binaries%0A%3E%20%20mysql-common-4.1%20-%20mysql%20database%20common%20files%20%28e.g.%20%2Fetc%2Fmysql%2Fmy.cnf%29%0A%3E%20%20mysql-server-4.1%20-%20mysql%20database%20server%20binaries%0A%3E%20Closes%3A%20373913%20375694%0A%3E%20Changes%3A%20%0A">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=ch%40debian.org" alt=""> <div class="header"><span class="headerfield">From:</span> Christian Hammers <ch@debian.org></div> <div class="header"><span class="headerfield">To:</span> 375694-close@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Bug#375694: fixed in mysql-dfsg-4.1 4.1.11a-4sarge5</div> <div class="header"><span class="headerfield">Date:</span> Wed, 30 Aug 2006 23:05:18 -0700</div> </div> <pre class="message">Source: mysql-dfsg-4.1 Source-Version: 4.1.11a-4sarge5 We believe that the bug you reported is fixed in the latest version of mysql-dfsg-4.1, which is due to be installed in the Debian FTP archive: libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb to pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb libmysqlclient14_4.1.11a-4sarge5_i386.deb to pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge5_i386.deb mysql-client-4.1_4.1.11a-4sarge5_i386.deb to pool/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge5_i386.deb mysql-common-4.1_4.1.11a-4sarge5_all.deb to pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge5_all.deb mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz mysql-dfsg-4.1_4.1.11a-4sarge5.dsc to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge5.dsc mysql-server-4.1_4.1.11a-4sarge5_i386.deb to pool/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge5_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 375694@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Hammers <ch@debian.org> (supplier of updated mysql-dfsg-4.1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 16 Jun 2006 09:52:12 +0000 Source: mysql-dfsg-4.1 Binary: libmysqlclient14-dev mysql-common-4.1 libmysqlclient14 mysql-server-4.1 mysql-client-4.1 Architecture: source i386 all Version: 4.1.11a-4sarge5 Distribution: stable-security Urgency: low Maintainer: Christian Hammers <ch@debian.org> Changed-By: Christian Hammers <ch@debian.org> Description: libmysqlclient14 - mysql database client library libmysqlclient14-dev - mysql database development files mysql-client-4.1 - mysql database client binaries mysql-common-4.1 - mysql database common files (e.g. /etc/mysql/my.cnf) mysql-server-4.1 - mysql database server binaries Closes: <a href="bugreport.cgi?bug=373913">373913</a> <a href="bugreport.cgi?bug=375694">375694</a> Changes: mysql-dfsg-4.1 (4.1.11a-4sarge5) stable-security; urgency=low . * Security upload prepared for the security team by the Debian MySQL package maintainers. * Fixed DoS bug where any user could crash the server with "SELECT str_to_date(1, NULL);" (<a href="https://security-tracker.debian.org/tracker/CVE-2006-3081">CVE-2006-3081</a>). The vulnerability was discovered by Kanatoko <anvil@jumperz.net>. Closes: #<a href="bugreport.cgi?bug=373913">373913</a> * Fixed DoS bug where any user could crash the server with "SELECT date_format('%d%s', 1); (<a href="https://security-tracker.debian.org/tracker/CVE-2006-3469">CVE-2006-3469</a>). The vulnerability was discovered by Maillefer Jean-David <jean-david@kesako.ch> and filed as MySQL bug #20729. Closes: #<a href="bugreport.cgi?bug=375694">375694</a> Files: 9cd4f7df9345856d06846e0ddb50b9ee 1021 misc optional mysql-dfsg-4.1_4.1.11a-4sarge5.dsc e45db0b01b3adaf09500d54090f3a1e1 168442 misc optional mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz e8115191126dc0b373a53024e5c78733 36520 misc optional mysql-common-4.1_4.1.11a-4sarge5_all.deb ab5768abe67a1d21c714a078f2ec86f0 1418036 libs optional libmysqlclient14_4.1.11a-4sarge5_i386.deb bf891e68e488947fd28a940a367d722f 5643732 libdevel optional libmysqlclient14-dev_4.1.11a-4sarge5_i386.deb f5d4a9e5b289d895ba021190f907829f 830724 misc optional mysql-client-4.1_4.1.11a-4sarge5_i386.deb b580eeaf7a3806b95a07435acbe48e27 14558034 misc optional mysql-server-4.1_4.1.11a-4sarge5_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEsq66Xm3vHE4uyloRAgB4AKDZu0uKZDSFB8uicz4G1oFrIR+YEwCgnzNr E3zati36cyhJRqWDcL2bP4Q= =HUF7 -----END PGP SIGNATURE----- </pre> <div class="msgreceived"><hr><p> <a name="99"></a>  <strong>Bug archived.</strong> Request was from <code>Debbugs Internal Request <owner@bugs.debian.org></code> to <code>internal_control@bugs.debian.org</code>. (Wed, 27 Jun 2007 06:01:22 GMT) (<a href="bugreport.cgi?bug=375694;msg=100">full text</a>, <a href="bugreport.cgi?bug=375694;mbox=yes;msg=100">mbox</a>, <a href="#99">link</a>).</p></p></div> <hr> <p class="msgreceived">Send a report that <a href="https://bugs.debian.org/cgi-bin/bugspam.cgi?bug=375694">this bug log contains spam</a>.</p> <hr> <ADDRESS>Debian bug tracking system administrator <<A HREF="mailto:owner@bugs.debian.org">owner@bugs.debian.org</A>>. Last modified: Sun Nov 24 06:06:39 2024; Machine Name: buxtehude <P> <A HREF="https://www.debian.org/Bugs/">Debian Bug tracking system</A> </p> <p> Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from <a href="https://bugs.debian.org/debbugs-source/">https://bugs.debian.org/debbugs-source/</a>. </p> <p> Copyright 漏 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors. </p> </ADDRESS> </body> </html>