OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 15-Sep-2003 13:17:14
Branch: OPENPKG_1_2_SOLID HEAD Handle: 2003091512171202
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_2_SOLID)
openpkg-src/mysql mysql.patch mysql.spec
Log:
SA-2003.038-mysql; CAN-2003-0780
Summary:
Revision Changes Path
1.3.4.4 +18 -0 openpkg-src/mysql/mysql.patch
1.49.2.1.2.5+1 -1 openpkg-src/mysql/mysql.spec
1.6563 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/mysql/mysql.patch
============================================================================
$ cvs diff -u -r1.3.4.3 -r1.3.4.4 mysql.patch
--- openpkg-src/mysql/mysql.patch 19 Mar 2003 07:59:05 -0000 1.3.4.3
+++ openpkg-src/mysql/mysql.patch 15 Sep 2003 11:17:14 -0000 1.3.4.4
@@ -252,3 +252,21 @@
#define MY_CHECK_ERROR 1 /* Params to my_end; Check open-close */
#define MY_GIVE_INFO 2 /* Give time info about process*/
+
+http://marc.theaimsgroup.com/?l=bugtraq&m=106323221912927&w=4
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0780
+ Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL
+ 4.0.14 and earlier, and 3.23.x, allows attackers to execute
+ arbitrary code via a long Password field
+
+--- sql/sql_acl.cc.orig 2002-12-05 10:37:06.000000000 +0100
++++ sql/sql_acl.cc 2003-09-15 13:01:19.000000000 +0200
+@@ -206,7 +206,7 @@
+ "Found old style password for user '%s'. Ignoring user. (You may
want to restart using --old-protocol)",
+ user.user ? user.user : ""); /* purecov: tested */
+ }
+- else if (length % 8) // This holds true for passwords
++ else if (length % 8 || length > 16) // This holds true for
passwords
+ {
+ sql_print_error(
+ "Found invalid password for user: '[EMAIL PROTECTED]'; Ignoring
user",
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/mysql/mysql.spec
============================================================================
$ cvs diff -u -r1.49.2.1.2.4 -r1.49.2.1.2.5 mysql.spec
--- openpkg-src/mysql/mysql.spec 19 Mar 2003 09:06:15 -0000 1.49.2.1.2.4
+++ openpkg-src/mysql/mysql.spec 15 Sep 2003 11:17:14 -0000 1.49.2.1.2.5
@@ -37,7 +37,7 @@
Group: Database
License: GPL
Version: %{V_major}.%{V_minor}
-Release: 1.2.3
+Release: 1.2.4
# package options
%option with_berkeleydb yes
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.6562 -r1.6563 news.txt
--- openpkg-web/news.txt 15 Sep 2003 10:59:35 -0000 1.6562
+++ openpkg-web/news.txt 15 Sep 2003 11:17:12 -0000 1.6563
@@ -1,3 +1,4 @@
+15-Sep-2003: Upgraded package: P<mysql-3.23.54a-1.2.4>
15-Sep-2003: Upgraded package: P<mysql-4.0.14-1.3.2>
15-Sep-2003: New package: P<jam-2.5-20030915>
15-Sep-2003: Upgraded package: P<qt-3.2.1-20030915>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
