Your message dated Wed, 13 Apr 2005 17:22:11 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Closing bugs for mysql-3.23 due to the release of an DSA
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Dec 2004 06:12:35 +0000
>From [EMAIL PROTECTED] Sat Dec 11 22:12:35 2004
Return-path: <[EMAIL PROTECTED]>
Received: from c201166.ppp.asahi-net.or.jp (grapefruit) [210.155.201.166]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CdMyB-0006FV-00; Sat, 11 Dec 2004 22:12:35 -0800
Received: by grapefruit (Postfix, from userid 1000)
id 2CF244461; Sun, 12 Dec 2004 15:15:29 +0900 (JST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Hideki Yamane <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: mysql: vulnerability issue (CAN-2004-0956 and CAN-2004-0957)
X-Mailer: reportbug 3.4
Date: Sun, 12 Dec 2004 15:15:29 +0900
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: mysql
Version: 3.23.49-8.8
Severity: grave
Tags: security, woody
Justification: renders package unusable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear mysql maintainer,
I saw Ubuntu security advisory and found that vulnerabilities in Debian
mysql package is not fixed yet.That Ubuntu announce is here.
http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html
>Some query strings containing a double quote (like MATCH ... AGAINST
>(' some " query' IN BOOLEAN MODE) ) that did not have a matching
>closing double quote caused a denial of service (server crash). Again,
>this is only exploitable by authorized mysql users. (CAN-2004-0956)
>
>If a user was granted privileges to a database with a name containing
>an underscore ("_"), the user also gained the ability to grant
>privileges to other databases with similar names. (CAN-2004-0957)
I see that Chiristian asked about these issues in mysql BTS, but there
is no progress since September. So,
* check and compare other distributions' patch for their package and
make patch if you can
http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html
http://rhn.redhat.com/errata/RHSA-2004-597.html
http://rhn.redhat.com/errata/RHSA-2004-611.html
* or security team should help to make these issues fix
I'll post this to make these issues easy to track. I hope you'll make
it well and all Debian mysql users can sleep peacefully :)
- --
Regards,
Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBu+IBIu0hy8THJksRAuM5AJ9VZxL8SahjDcFiPTIW+uUZ3iga3QCghi+X
ppAWp7bhN5eq4NLfORQsc1Y=
=JE9z
-----END PGP SIGNATURE-----
---------------------------------------
Received: (at 285276-done) by bugs.debian.org; 13 Apr 2005 15:22:39 +0000
>From [EMAIL PROTECTED] Wed Apr 13 08:22:39 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail3b.westend.com (mail3b2.westend.com) [212.117.79.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLjhO-0001eQ-00; Wed, 13 Apr 2005 08:22:38 -0700
Received: from localhost (localhost [127.0.0.1])
by mail3b2.westend.com (Postfix) with ESMTP id 7783C12132A;
Wed, 13 Apr 2005 17:22:37 +0200 (CEST)
Received: from mail3b2.westend.com ([127.0.0.1])
by localhost (mail3b [127.0.0.1]) (amavisd-new, port 20024)
with ESMTP id 14345-05; Wed, 13 Apr 2005 17:22:25 +0200 (CEST)
Received: from xeniac.intern (office-gw.westend.com [212.117.64.2])
by mail3b2.westend.com (Postfix) with ESMTP id D668212130E;
Wed, 13 Apr 2005 17:22:25 +0200 (CEST)
Date: Wed, 13 Apr 2005 17:22:11 +0200
From: Christian Hammers <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Closing bugs for mysql-3.23 due to the release of an DSA
Message-ID: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Organization: www.debian.org
X-Mailer: Sylpheed-Claws 0.9.12b (GTK+ 1.2.10; i386-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="pgp-sha1";
boundary="Signature=_Wed__13_Apr_2005_17_22_11_+0200_t_5DuSeOunhM0SR6"
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--Signature=_Wed__13_Apr_2005_17_22_11_+0200_t_5DuSeOunhM0SR6
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
I'm closing the bug reports that were fixed by the just released DSA.
bye,
-christian-
--Signature=_Wed__13_Apr_2005_17_22_11_+0200_t_5DuSeOunhM0SR6
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCXTkjkR9K5oahGOYRAkEkAKCcqzV8r41cx1r0IJkHT7lZoJx9QACdHMz3
4TaRTUL4ElZeaglZOHl/74U=
=cVqw
-----END PGP SIGNATURE-----
--Signature=_Wed__13_Apr_2005_17_22_11_+0200_t_5DuSeOunhM0SR6--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
