Detections
Analytics

GLSA-200605-13 : MySQL: Information leakage

medium Nessus Plugin ID 21355

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200605-13 (MySQL: Information leakage)

 The processing of the COM_TABLE_DUMP command by a MySQL server fails to properly validate packets that arrive from the client via a network socket.
 Impact :

 By crafting specific malicious packets an attacker could gather confidential information from the memory of a MySQL server process, for example results of queries by other users or applications. By using PHP code injection or similar techniques it would be possible to exploit this flaw through web applications that use MySQL as a database backend.
 Note that on 5.x versions it is possible to overwrite the stack and execute arbitrary code with this technique. Users of MySQL 5.x are urged to upgrade to the latest available version.
 Workaround :

 There is no known workaround at this time.

Solution

All MySQL users should upgrade to the latest version.
 # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/mysql-4.0.27'

See Also

http://www.nessus.org/u?0c8bb2e4

https://security.gentoo.org/glsa/200605-13

Plugin Details

Severity: Medium

ID: 21355

File Name: gentoo_GLSA-200605-13.nasl

Version: 1.17

Type: local

Published: 5/13/2006

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:mysql, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/11/2006

Vulnerability Publication Date: 5/2/2006

Reference Information

CVE: CVE-2006-1516, CVE-2006-1517

BID: 17780

GLSA: 200605-13