OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 18-Mar-2003 16:54:32
Branch: HEAD Handle: 2003031815543100
Modified files:
openpkg-web/security OpenPKG-SA-2003.022-mysql.txt page.pl
Log:
bugfix, reformat and sign MySQL SA
Summary:
Revision Changes Path
1.3 +28 -18 openpkg-web/security/OpenPKG-SA-2003.022-mysql.txt
1.7 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.022-mysql.txt
============================================================================
$ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2003.022-mysql.txt
--- openpkg-web/security/OpenPKG-SA-2003.022-mysql.txt 18 Mar 2003 15:42:56
-0000 1.2
+++ openpkg-web/security/OpenPKG-SA-2003.022-mysql.txt 18 Mar 2003 15:54:31
-0000 1.3
@@ -1,9 +1,12 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2003.023 18-Mar-2003
+OpenPKG-SA-2003.022 18-Mar-2003
________________________________________________________________________
Package: mysql
@@ -11,34 +14,34 @@
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
-OpenPKG CURRENT <= mysql-3.23.55-20030318 >= mysql-3.23.56-20030211
+OpenPKG CURRENT <= mysql-3.23.55-20030211 >= mysql-3.23.56-20030318
OpenPKG 1.2 <= mysql-3.23.54a-1.2.1 >= mysql-3.23.54a-1.2.2
OpenPKG 1.1 <= mysql-3.23.52-1.1.2 >= mysql-3.23.52-1.1.3
Dependent Packages: none
Description:
- According to a message on BugTraq [0], a remote root exploit
- vulnerability exists in the 3.23.55 version and earlier versions of
- the MySQL server [1]. If the MySQL server is launched by root, as it
- is often done by system startup scripts, any database users with the
- FILE privilege can write a configuration file that causes the MySQL
- server to run under an arbitrary user id including the user id of the
- super user on the next restart.
-
- Please check whether you are affected by running "<prefix>/bin/rpm
- -q mysql". If you have the "mysql" package installed and its version
- is affected (see above), we recommend that you immediately upgrade
- it (see Solution). [2][3]
+ According to a report on BugTraq [0], a remote root exploit
+ vulnerability exists in version 3.23.55 and earlier versions of the
+ MySQL server [1]. If the MySQL server is launched by root, as it is
+ often done by system startup scripts, any database users with the
+ "FILE" privilege can write a configuration file (usually my.cnf) that
+ causes the MySQL server to run under an arbitrary user id including
+ the user id of the super-user on the next restart.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm -q
+ mysql". If you have the "mysql" package installed and its version is
+ affected (see above), we recommend that you immediately upgrade it
+ (see Solution). [2][3]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror
location, verify its integrity [8], build a corresponding binary RPM
- from it [2] and update your OpenPKG installation by applying the binary
- RPM [3]. For the current release OpenPKG 1.2, perform the following
- operations to permanently fix the security problem (for other releases
- adjust accordingly).
+ from it [2] and update your OpenPKG installation by applying the
+ binary RPM [3]. For the current release OpenPKG 1.2, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -73,3 +76,10 @@
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE+d0EdgHWT4GPEy58RAhGxAKDAaLrjSbB4V2ItfrOCjj8nB13+/ACgqfW9
+unh+dQiYexu1PGIWMLA9F+U=
+=415D
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.6 -r1.7 page.pl
--- openpkg-web/security/page.pl 18 Mar 2003 15:44:45 -0000 1.6
+++ openpkg-web/security/page.pl 18 Mar 2003 15:54:31 -0000 1.7
@@ -12,7 +12,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name) = ($sa =~ m|^(OpenPKG-SA-(.+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.02[2-9]|);
+ next if ($name =~ m|^2003\.02[3-9]|);
$sidebar .= "<a href=\"$base.html\">$name</a><br>";
}
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
