Security Advisory: [ MDKSA-2006:097 ] - Updated MySQL packages fixes SQL injection vulnerability.

[EN] securityvulns.ru
no-pyccku

Related information
  PostgreSQL / MySQL extended character sets SQL injections
  PostgreSQL security releases 8.1.4, 8.0.8, 7.4.13, 7.3.15
  [Full-disclosure] rPSA-2006-0080-1 postgresql postgresql-server

From: MANDRIVA
Date: 08.06.2006
Subject: [ MDKSA-2006:097 ] - Updated MySQL packages fixes SQL injection vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory                         MDKSA-2006:097
http://www.mandriva.com/security/
_______________________________________________________________________

Package : MySQL
Date    : June 7, 2006
Affected: 10.2, 2006.0
_______________________________________________________________________

Problem Description:

SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x
before 5.0.22 allows context-dependent attackers to execute arbitrary
SQL commands via crafted multibyte encodings in character sets such as
SJIS, BIG5, and GBK, which are not properly handled when the
mysql_real_escape function is used to escape the input.

MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue.

Packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.2:
5124c38a0018835bae02c529e839c2ec 10.2/RPMS/libmysql14-4.1.11-1.5.102mdk.i586.rpm
461aafb5d81f3cc1aae5ca0c3a57ff7b 10.2/RPMS/libmysql14-devel-4.1.11-1.5.102mdk.i586.rpm
5b975a40589e1c9b21570aacfe71cfc2 10.2/RPMS/MySQL-4.1.11-1.5.102mdk.i586.rpm
ee11c783d49a43d560a9013961f13b8a 10.2/RPMS/MySQL-bench-4.1.11-1.5.102mdk.i586.rpm
cd42ca4423287a9d5a69d26e006e03cb 10.2/RPMS/MySQL-client-4.1.11-1.5.102mdk.i586.rpm
ddfe045b6d2c0d5d8280f3755428726c 10.2/RPMS/MySQL-common-4.1.11-1.5.102mdk.i586.rpm
4d00eea0471f81a11b7437168bd1d91c 10.2/RPMS/MySQL-Max-4.1.11-1.5.102mdk.i586.rpm
470cf8560a7020d0ee05a875be139389 10.2/RPMS/MySQL-NDB-4.1.11-1.5.102mdk.i586.rpm
7e0571514e7a3761bb68a009658a5c12 10.2/SRPMS/MySQL-4.1.11-1.5.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
cd0e5aba35ad68dbbc880a0405af94d3 x86_64/10.2/RPMS/lib64mysql14-4.1.11-1.5.102mdk.x86_64.rpm
2acaaa74a097b9b2a935d9f08a0bda67 x86_64/10.2/RPMS/lib64mysql14-devel-4.1.11-1.5.102mdk.x86_64.rpm
989dd5ebcf132fed17e912d6f6c61d26 x86_64/10.2/RPMS/MySQL-4.1.11-1.5.102mdk.x86_64.rpm
f165db3cb9ea3d1decc102faf1fd49ca x86_64/10.2/RPMS/MySQL-bench-4.1.11-1.5.102mdk.x86_64.rpm
3babf05f2d130008711af23f1636b3f5 x86_64/10.2/RPMS/MySQL-client-4.1.11-1.5.102mdk.x86_64.rpm
b0814e05d8cff5b37a24a7f2d045d256 x86_64/10.2/RPMS/MySQL-common-4.1.11-1.5.102mdk.x86_64.rpm
bd6c36a4ee7e606e46feda8197a46dd1 x86_64/10.2/RPMS/MySQL-Max-4.1.11-1.5.102mdk.x86_64.rpm
92e4a5a9533b51eb4307921618e40911 x86_64/10.2/RPMS/MySQL-NDB-4.1.11-1.5.102mdk.x86_64.rpm
7e0571514e7a3761bb68a009658a5c12 x86_64/10.2/SRPMS/MySQL-4.1.11-1.5.102mdk.src.rpm

Mandriva Linux 2006.0:
cdfcbf1bff46a87975838a6acef3347b 2006.0/RPMS/libmysql14-4.1.12-3.3.20060mdk.i586.rpm
46eb7b15b586747f230d343e04669254 2006.0/RPMS/libmysql14-devel-4.1.12-3.3.20060mdk.i586.rpm
216c29b19afe9d9a460158ab44078f1b 2006.0/RPMS/MySQL-4.1.12-3.3.20060mdk.i586.rpm
9c1c3ce9ba1780699628d544675b513d 2006.0/RPMS/MySQL-bench-4.1.12-3.3.20060mdk.i586.rpm
11a768efef34c19b0a357dc63bf86297 2006.0/RPMS/MySQL-client-4.1.12-3.3.20060mdk.i586.rpm
2c9c2d9114844e635924c57deb13ab03 2006.0/RPMS/MySQL-common-4.1.12-3.3.20060mdk.i586.rpm
93e4be31a33683d450a1e66b667a191d 2006.0/RPMS/MySQL-Max-4.1.12-3.3.20060mdk.i586.rpm
75b641bc8e77844cb0c963b22cd3b8dd 2006.0/RPMS/MySQL-NDB-4.1.12-3.3.20060mdk.i586.rpm
0833ddf397921824b5e107c80c2b3719 2006.0/SRPMS/MySQL-4.1.12-3.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
e91a5d0a6640f2b2cfabe2f58e943783 x86_64/2006.0/RPMS/lib64mysql14-4.1.12-3.3.20060mdk.x86_64.rpm
65ce59f185b2cd97bfba0f81375ce31d x86_64/2006.0/RPMS/lib64mysql14-devel-4.1.12-3.3.20060mdk.x86_64.rpm
f9e7ebfd3caf11ad3c6b96687bec3bb3 x86_64/2006.0/RPMS/MySQL-4.1.12-3.3.20060mdk.x86_64.rpm
b804caa1877bb5e73139ca3125ba7e29 x86_64/2006.0/RPMS/MySQL-bench-4.1.12-3.3.20060mdk.x86_64.rpm
28465c5560636598d9d8dcad66f748dd x86_64/2006.0/RPMS/MySQL-client-4.1.12-3.3.20060mdk.x86_64.rpm
6ba9e3655de80fee76c3fb5654e633b7 x86_64/2006.0/RPMS/MySQL-common-4.1.12-3.3.20060mdk.x86_64.rpm
0225b166b7262e315fc1751e336bef8b x86_64/2006.0/RPMS/MySQL-Max-4.1.12-3.3.20060mdk.x86_64.rpm
b9d64e331f0e5e7b721db66ad69b7033 x86_64/2006.0/RPMS/MySQL-NDB-4.1.12-3.3.20060mdk.x86_64.rpm
0833ddf397921824b5e107c80c2b3719 x86_64/2006.0/SRPMS/MySQL-4.1.12-3.3.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID     Date       User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEhv7NmqjQ0CJFipgRAk/VAJ9Nc8RrtuJWhnHffujM6kH+bsrqTgCgjrtx
q/LX3TjGLUis7E3xoczIwFk=
=gYPv
-----END PGP SIGNATURE-----