-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:149 http://www.mandriva.com/security/ _______________________________________________________________________ Package : MySQL Date : August 24, 2006 Affected: 2006.0 _______________________________________________________________________ Problem Description: MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031). The update allows the local admin to override MERGE using the '--skip-merge' option when running mysqld. This can be defined under MYSQLD_OPTIONS in /etc/sysconfig/mysqld. If '--skip-merge' is not used, the old behaviour of MERGE tables is still used. MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226). Packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4226 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 33376bae20533f62ef5b549b34167843 2006.0/RPMS/libmysql14-4.1.12-4.6.20060mdk.i586.rpm 8f979c11aff7632c2baf8a16dfd20f7d 2006.0/RPMS/libmysql14-devel-4.1.12-4.6.20060mdk.i586.rpm efdf42901fb07957dcae0667f4224c79 2006.0/RPMS/MySQL-4.1.12-4.6.20060mdk.i586.rpm b8af458067a90bdc24572e5e4e65486e 2006.0/RPMS/MySQL-bench-4.1.12-4.6.20060mdk.i586.rpm bc50ec326174fd40d4305fd869f40148 2006.0/RPMS/MySQL-client-4.1.12-4.6.20060mdk.i586.rpm af157fcfa86fe01b523382b9b4cf7574 2006.0/RPMS/MySQL-common-4.1.12-4.6.20060mdk.i586.rpm 48ff5161c87ea0b2a562d8a85c71ba77 2006.0/RPMS/MySQL-Max-4.1.12-4.6.20060mdk.i586.rpm 9fbe8915b7e10bbb059f40ce2d87fc79 2006.0/RPMS/MySQL-NDB-4.1.12-4.6.20060mdk.i586.rpm 12ec1435c493ec7d4503a70a114bb0ff 2006.0/SRPMS/MySQL-4.1.12-4.6.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: a3e7eb190788f55675f32149061b76bc x86_64/2006.0/RPMS/lib64mysql14-4.1.12-4.6.20060mdk.x86_64.rpm f73190c2eb69d25456268504eed1b8f8 x86_64/2006.0/RPMS/lib64mysql14-devel-4.1.12-4.6.20060mdk.x86_64.rpm 03695f3ec8872dc610c5f6dd938bf9b5 x86_64/2006.0/RPMS/MySQL-4.1.12-4.6.20060mdk.x86_64.rpm 76935c458a2f18d93940c352f9c19151 x86_64/2006.0/RPMS/MySQL-bench-4.1.12-4.6.20060mdk.x86_64.rpm 8af8fbdf8931ec7a1da24dd06a8c26cc x86_64/2006.0/RPMS/MySQL-client-4.1.12-4.6.20060mdk.x86_64.rpm a7d2e88a3f0b7d5be8b3243978992d94 x86_64/2006.0/RPMS/MySQL-common-4.1.12-4.6.20060mdk.x86_64.rpm c9f07a98015f74b918d622501a059c23 x86_64/2006.0/RPMS/MySQL-Max-4.1.12-4.6.20060mdk.x86_64.rpm 70cebedfedcd93bb5a46b3852ba3e1a1 x86_64/2006.0/RPMS/MySQL-NDB-4.1.12-4.6.20060mdk.x86_64.rpm 12ec1435c493ec7d4503a70a114bb0ff x86_64/2006.0/SRPMS/MySQL-4.1.12-4.6.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE7eLtmqjQ0CJFipgRAjkQAJ9aFYCHpdgaXCQ2zLt1L4GjGvI1bgCglxxV p5SWwcdzJt5Za4x4ISsE4WQ= =7H3d -----END PGP SIGNATURE-----