Debian DSA-2581-1 : mysql-5.1 - several vulnerabilities

high Nessus Plugin ID 63151

Synopsis

The remote Debian host is missing a security-related update.

Description

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.1.66, which includes additional changes, such as performance improvements and corrections for data loss defects. These changes are described in the MySQL release notes.

Additionally, CVE-2012-5611 has been fixed in this upload. The vulnerability (discovered independently by Tomas Hoger from the Red Hat Security Response Team and 'king cope') is a stack-based buffer overflow in acl_get() when checking user access to a database. Using a carefully crafted database name, an already authenticated MySQL user could make the server crash or even execute arbitrary code as the mysql system user.

Solution

Upgrade the mysql-5.1 packages.

For the stable distribution (squeeze), this problem has been fixed in version 5.1.66-0+squeeze1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690778

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695001

https://dev.mysql.com/doc/refman/5.1/en/news-5-1-66.html

https://security-tracker.debian.org/tracker/CVE-2012-5611

https://packages.debian.org/source/squeeze/mysql-5.1

https://www.debian.org/security/2012/dsa-2581

Plugin Details

Severity: High

ID: 63151

File Name: debian_DSA-2581.nasl

Version: 1.12

Type: local

Agent: unix

Published: 12/5/2012

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mysql-5.1, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/4/2012

Reference Information

CVE: CVE-2012-3150, CVE-2012-3158, CVE-2012-3160, CVE-2012-3163, CVE-2012-3166, CVE-2012-3167, CVE-2012-3173, CVE-2012-3177, CVE-2012-3180, CVE-2012-3197, CVE-2012-5611

BID: 55990, 56003, 56005, 56017, 56018, 56021, 56027, 56028, 56036, 56041, 56769

DSA: 2581