[Bug 201009] Re: [mysql-dfsg-5.0] fix for several open vulnerabilities in -proposed
jamie at ubuntu.com
Fri Mar 14 19:15:48 GMT 2008
** Description changed:
*** Impact ***
mysql as included in Ubuntu is vulnerable to several CVEs:
CVE-2006-7232 (DoS, small patch)
CVE-2007-2692 (privilege escalation, large patch)
CVE-2007-6303 (privilege escalation)
CVE-2008-0226 (overflow, small patch)
CVE-2008-0227 (DoS, small patch)
CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 are non-intrusive patches
and would normally be pushed in a standard security update.
CVE-2007-6303 required an additional adapted patch for
http://bugs.mysql.com/bug.php?id=21080 on dapper and edgy.
CVE-2007-2692 is fixed in Debian, but it is incomplete. To properly fix this CVE, relevant code from these upstream commits also had to be adapted and applied:
http://lists.mysql.com/commits/23056 (dapper - feisty)
These changes were too extensive to apply without modification, so they
were adapted to have minimal, but effective changes.
CVE-2007-6303 and CVE-2007-2692 are both important privilege escalation
vulnerabilities and need to be addressed.
*** Development branch ***
These vulnerabilities are fixed in the Hardy. However, MySQL has a lot of changes in their stable 5.0.x series, and backported fixes from a later version to an earlier version can be extensive, as in the case of CVE-2007-6303 and CVE-2007-2692.
Other major distributions either have not fixed CVE-2007-6303 and
CVE-2007-2692 or simply performed a MicroVersionUpdate. This option was
evaluated several months ago and it was decided that a full
MicroVersionUpdate would likely cause too many problems in a stable
release, based on upstream release notes from 5.0.22 (dapper) to 5.0.45
(the released version that fixed these vulnerabilities).
*** Regression Testing ***
These patches have undergone testing on i386 and amd64 and do not appear to introduce any regressions. Each patch adds test cases to the internal mysql-test test suite for the issue being fixed, and all expected tests pass (edgy and feisty have a test that fails, but it failed prior to this update). In addition, packages were tested with qa-regression-testing scripts and all pass.
The patches and commits for CVE-2007-6303 and CVE-2007-2692 were verified against upstream changelogs and release notes to not introduce database incompatibilities or regressions on their own.
*** Regression Potential ***
It is believed CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 have little regression potential. CVE-2007-6303 and CVE-2007-2692 have potential for regression as the patches are larger and adapted from various commits. Users of SQL SECURITY INVOKER for stored routines and views with DEFINER values would be the most likely to see regressions.
*** Further Testing ***
- Packages will be uploaded to -proposed and an email sent to get more widespread testing. Please report any regressions in the -proposed packages in this bug report.
+ Packages have been uploaded to -proposed and an email sent to get more widespread testing. Please report any regressions in the -proposed packages in this bug report.
[mysql-dfsg-5.0] fix for several open vulnerabilities in -proposed
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.0 in ubuntu.
More information about the Ubuntu-server-bugs