Several unfixed security issues
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mysql-dfsg-5.0 (Ubuntu) |
Fix Released
|
High
|
Adam Conrad | ||
Bug Description
The current edgy package has three open security vulnerabilities:
CVE-2006-4031: allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy. (fixed upstream in 5.0.24)
CVE-2006-4226: allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (fixed upstream in 5.0.25, fixed in Debian in 5.0.24-3)
CVE-2006-4227: evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE. (fixed upstream in 5.0.25, fixed in Debian in 5.0.24-3)
Preferably we should just merge from Debian since our current version is quite old and Debian has a lot of bug fixes.
| Changed in mysql-dfsg-5.0: | |
| importance: | Undecided → High |
| status: | Unconfirmed → Confirmed |
| Adam Conrad (adconrad) wrote | #1 |
| Adam Conrad (adconrad) wrote | #2 |
| Changed in mysql-dfsg-5.0: | |
| assignee: | nobody → adconrad |
| status: | Confirmed → Fix Released |
For the record, my changes to make sure that the backgrounded processes started from the init script don't spew on stdout (thus breaking debconf in weird ways) have been merged into Debian by now, and a straight sync should serve us quite well.