Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 67343

Summary: dev-db/mysql denial of service
Product: Gentoo Security Reporter: Marc Vila <marc.vila>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/12783/
Whiteboard: (handled)
Package list:
Runtime testing required: ---

Description Marc Vila 2004-10-13 00:43:06 UTC 
DESCRIPTION:
Two vulnerabilities have been reported in MySQL, which can be
exploited by malicious users to bypass certain security restrictions
or cause a DoS (Denial of Service).

1) An error in "ALTER TABLE ... RENAME" operations causes the
CREATE/INSERT rights of old tables to be checked, which potentially
can be exploited to bypass some applied security restrictions.

The vulnerability has been reported in version 3.23. Other versions
may also be affected.

2) It is possible to crash or stall the server when multiple threads
ALTER the same or different MERGE tables to change the UNION.

The vulnerability has been reported in version 3.23 and 4.0.18. Other
versions may also be affected.

SOLUTION:
Update to version 3.23.59 or 4.0.21.
http://dev.mysql.com/downloads/mysql/

PROVIDED AND/OR DISCOVERED BY:
1) Oleksandr Byelkin
2) Dean Ellis

ORIGINAL ADVISORY:
1) http://bugs.mysql.com/bug.php?id=3270
2) http://bugs.mysql.com/bug.php?id=2408


Reproducible: Always
Steps to Reproduce:
1.
2.
3.




We have ebuilds for several "affected" versions, maybe an ebuild cleaning would
also be nice.

http://secunia.com/advisories/12783/
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-13 02:40:33 UTC 
This is handled by security-restricted bug #67062
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 01:55:49 UTC 

*** This bug has been marked as a duplicate of 67062 ***