Subject: pkg/19750: databases/mysql-client & -server (version 3.23.49) has an unfixed security hole (xs4)
To: None <gnats-bugs@gnats.netbsd.org>
From: Rogier Krieger <rogier@virgiel.nl>
List: netbsd-bugs
Date: 01/09/2003 02:54:08
>Number: 19750
>Category: pkg
>Synopsis: pkgsrc mysql packages have unfixed security risks (remote vulnerabilities)
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jan 08 18:55:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Rogier Krieger
>Release: NetBSD 1.6_STABLE
>Organization:
KSV Sanctus Virgilius
>Environment:
System: NetBSD karres 1.6_STABLE NetBSD 1.6_STABLE (KARRES) #0: Fri Dec 27 13:53:52 CET 2002 root@karres:/usr/src/sys/arch/i386/compile/KARRES i386
Architecture: i386
Machine: i386
>Description:
The mysql-client and mysql-server packages in the databases directory have remotely
exploitable vulnerabilities, according to the vulnerabilities database. They are
of version 3.23.49.
My daily security check is alerting me with the following two messages:
Package mysql-client-3.23.49nb1 has a remote-code-execution vulnerability, see
http://security.e-matters.de/advisories/042002.html
Package mysql-server-3.23.49 has a remote-code-execution vulnerability, see
http://security.e-matters.de/advisories/042002.html
So far, I have not been able to find an updated version (3.23.54 is adversited
at the mysql.com website) for these packages, which worries me a bit.
I guess the holidays are a problematic time for a security fix, but I just
wanted to put in the database in case it got overlooked.
>How-To-Repeat:
Check the distfiles and Makefiles on the databases/mysql-client and
databases. They list a version number of 3.23.49.
The vulnerabilities listing has the rest.
>Fix:
So far, all I can think of is either disabling the service entirely
or to place a firewall around it for the time being. Too bad this
cannot stop local users from exploiting the database.
A package update should do the trick. I unfortunately do not know
how to do such a thing. Sorry for bugging you with it.
>Release-Note:
>Audit-Trail:
>Unformatted: