Debian DSA-1783-1 : mysql-dfsg-5.0 - multiple vulnerabilities

medium Nessus Plugin ID 38642

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities have been identified affecting MySQL, a relational database server, and its associated interactive client application. The Common Vulnerabilities and Exposures project identifies the following two problems :

- CVE-2008-3963 Kay Roepke reported that the MySQL server would not properly handle an empty bit-string literal in a SQL statement, allowing an authenticated remote attacker to cause a denial of service (a crash) in mysqld. This issue affects the oldstable distribution (etch), but not the stable distribution (lenny).

- CVE-2008-4456 Thomas Henlich reported that the MySQL commandline client application did not encode HTML special characters when run in HTML output mode (that is, 'mysql
--html ...'). This could potentially lead to cross-site scripting or unintended script privilege escalation if the resulting output is viewed in a browser or incorporated into a website.

Solution

Upgrade the mysql-dfsg-5.0 packages.

For the old stable distribution (etch), these problems have been fixed in version 5.0.32-7etch10.

For the stable distribution (lenny), these problems have been fixed in version 5.0.51a-24+lenny1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498362

https://security-tracker.debian.org/tracker/CVE-2008-3963

https://security-tracker.debian.org/tracker/CVE-2008-4456

https://www.debian.org/security/2009/dsa-1783

Plugin Details

Severity: Medium

ID: 38642

File Name: debian_DSA-1783.nasl

Version: 1.14

Type: local

Agent: unix

Published: 4/30/2009

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mysql-dfsg-5.0, cpe:/o:debian:debian_linux:4.0, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 4/29/2009

Reference Information

CVE: CVE-2008-3963, CVE-2008-4456

CWE: 134, 79

DSA: 1783