Mandrake Linux Security Advisory : MySQL (MDKSA-2001:014-1)

high Nessus Plugin ID 61888

Synopsis

The remote Mandrake Linux host is missing one or more security updates.

Description

A security problem exists in all versions of MySQL after 3.23.2 and prior to 3.23.31. The problem is that the SHOW GRANTS command could be executed by any user making it possible for anyone with a MySQL account to get the crypted password from the mysql.user table. The new 3.23.31 version fixes this.

Due to library changes, the previously announced PHP update (MDKSA-2001:013) has been updated as well so that the php-mysql module supports this new version of MySQL. It also corrects the upgrade scripts in the package, however you will still need to verify that PHP support is enabled in your /etc/httpd/conf/httpd.conf Apache configuration file and verify that the installed modules are uncommented in your /etc/php.ini file.

Update :

Previous versions of MySQL also suffered from a buffer overflow problem that has been corrected in the recent releases. This update fixes the buffer overflow problem in the MySQL packages provided with Linux- Mandrake 7.1 and Corporate Server 1.0.1.

Solution

Update the affected packages.

Plugin Details

Severity: High

ID: 61888

File Name: mandrake_MDKSA-2001-014.nasl

Version: 1.6

Type: local

Published: 9/6/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:mysql, p-cpe:/a:mandriva:linux:mysql-bench, p-cpe:/a:mandriva:linux:mysql-client, p-cpe:/a:mandriva:linux:mysql-devel, p-cpe:/a:mandriva:linux:mysql-shared, p-cpe:/a:mandriva:linux:mysql-shared-libs, p-cpe:/a:mandriva:linux:php-gd, p-cpe:/a:mandriva:linux:php-imap, p-cpe:/a:mandriva:linux:php-ldap, p-cpe:/a:mandriva:linux:php-manual, p-cpe:/a:mandriva:linux:php-mysql, p-cpe:/a:mandriva:linux:php-pgsql, p-cpe:/a:mandriva:linux:php-readline, cpe:/o:mandrakesoft:mandrake_linux:7.1, cpe:/o:mandrakesoft:mandrake_linux:7.2, p-cpe:/a:mandriva:linux:mod_php, p-cpe:/a:mandriva:linux:php, p-cpe:/a:mandriva:linux:php-dba_gdbm_db2, p-cpe:/a:mandriva:linux:php-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 1/26/2001

Reference Information

CVE: CVE-2001-1274, CVE-2001-1275

MDKSA: 2001:014-1