[mysql] [CVE-2008-0226] [CVE-2008-0227] buffer overflows in YaSSL

Thanks for taking the time to report a bug and help make ubuntu better. These vulnerabilities have been fixed in the latest version of mysql in Debian (5.0.51-3) and should be fixed in the next upload to hardy.

Dapper not affected (yassl not compiled).

These fixes are part of a larger update that is available in -proposed. Please test and report results in #201009

Hardy was fixed in 5.0.51a-1.

mysql-dfsg-5.0 (5.0.51a-1) unstable; urgency=low

  [ Norbert Tretkowski ]
  * New upstream security hotfix release. Low priority upload anyway because
    5.0.51-3 already contained all security fixes.
  * Remove patches:
    + debian/patches/51_mysqlcheck-result.dpatch
    + debian/patches/92_SECURITY_CVE-2007-6303.dpatch
    + debian/patches/93_SECURITY_CVE-2007-6304.dpatch
    + debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch
  * Add recommendation on libhtml-template-perl to -server package, used by
    ndb_size. (closes: #462265)
  * New patch 60_raise-max-keylength.dpatch to raise the maximum key length to
    4005 bytes or 1335 UTF-8 characters. (closes: #463137)
  * New patch 51_sort-order.dpatch from 5.0.52 to fix incorrect order when
    using range conditions on 2 tables or more.
  * Support DEB_BUILD_OPTIONS option 'nocheck' to skip tests.
  * Update mysqlreport to 3.4a release.

  [ Luk Claes ]
  * Updated Japanese debconf translation. (closes: #462158)

 -- Norbert Tretkowski <email address hidden> Wed, 06 Feb 2008 11:57:45 +0100

This bug was fixed in the package mysql-dfsg-5.0 - 5.0.45-1ubuntu3.3

---------------
mysql-dfsg-5.0 (5.0.45-1ubuntu3.3) gutsy-security; urgency=low

  * no change build for -security upload

mysql-dfsg-5.0 (5.0.45-1ubuntu3.2) gutsy-proposed; urgency=low

  * SECURITY UPDATE: buffer overflow via ProcessOldClientHello() in
    handshake.cpp and input_buffer& operator>> in yassl_imp.cpp
  * SECURITY UPDATE: buffer overread in HASHwithTransform::Update in hash.cpp
  * debian/patches/95_SECURITY_CVE-2008-0226_0227.dpatch: properly verify
    length of input (LP: #186978)
  * SECURITY UPDATE: privilege escalation via crafted CREATE SQL SECURITY
    DEFINER VIEW and ALTER VIEW statements
  * debian/patches/96_SECURITY_CVE-2007-6303.dpatch: make sure lex->definer
    is non-NULL in sql_view.cc (LP: #185039)
  * debian/patches/97_view_fix-now.dpatch: update view.test and view.result to
    use a static year instead of now(). These tests are not part of the build
    but helps with qa-regression-testing
  * References
    CVE-2008-0226
    CVE-2008-0227
    CVE-2007-6303

 -- Jamie Strandboge <email address hidden> Wed, 19 Mar 2008 15:18:09 -0400

This bug was fixed in the package mysql-dfsg-5.0 - 5.0.38-0ubuntu1.4

---------------
mysql-dfsg-5.0 (5.0.38-0ubuntu1.4) feisty-security; urgency=low

  * no change build for -security upload

mysql-dfsg-5.0 (5.0.38-0ubuntu1.3) feisty-proposed; urgency=low

  * SECURITY UPDATE: buffer overflow via ProcessOldClientHello() in
    handshake.cpp and input_buffer& operator>> in yassl_imp.cpp
  * SECURITY UPDATE: buffer overread in HASHwithTransform::Update in hash.cpp
  * debian/patches/97_SECURITY_CVE-2008-0226_0227.dpatch: properly verify
    length of input (LP: #186978).
  * SECURITY UPDATE: privilege escalation via crafted CREATE SQL SECURITY
    DEFINER VIEW and ALTER VIEW statements
  * debian/patches/98_SECURITY_CVE-2007-6303.dpatch: make sure lex->definer
    is non-NULL in sql_view.cc (LP: #185039)
  * debian/patches/99_view_fix-now.dpatch: update view.test and view.result to
    use a static year instead of now(). These tests are not part of the build
    but helps with qa-regression-testing
  * SECURITY UPDATE: privilege escalation via SQL SECURITY INVOKER stored
    routines
  * debian/patches/100_SECURITY_CVE-2007-2692.dpatch: restore THD::db_access
    when returning from stored routine by performing privilege checks in the
    execution stage rather than the parsing stage. (LP: #172260)
  * References
    CVE-2008-0226
    CVE-2008-0227
    CVE-2007-6303
    CVE-2007-2692
    http://bugs.mysql.com/bug.php?id=27337

 -- Jamie Strandboge <email address hidden> Wed, 19 Mar 2008 15:17:20 -0400

http://www.ubuntu.com/usn/usn-588-1