Debian DSA-2818-1 : mysql-5.5 - several vulnerabilities
Medium Nessus Plugin ID 71474
SynopsisThe remote Debian host is missing a security-related update.
DescriptionSeveral issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.5.33, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details :
- http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 32.html
- http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 33.html
In addition this update fixes two issues affecting specifically the mysql-5.5 Debian package :
A race condition in the post-installation script of the mysql-server-5.5 package creates the configuration file '/etc/mysql/debian.cnf' with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials for the debian-sys-maint to perform administration tasks. (CVE-2013-2162 )
Matthias Reichl reported that the mysql-5.5 package misses the patches applied previous in Debian's mysql-5.1 to drop the database 'test' and the permissions that allow anonymous access, without a password, from localhost to the 'test' database and any databases starting with'test_'. This update reintroduces these patches for the mysql-5.5 package.
Existing databases and permissions are not touched. Please refer to the NEWS file provided with this update for further information.
SolutionUpgrade the mysql-5.5 packages.
For the stable distribution (wheezy), these problems have been fixed in version 5.5.33+dfsg-0+wheezy1.