MySQL 4.x Multiple Vulnerabilities

Icheb

Icheb

Verified User
Joined
Sep 15, 2003
Messages
518
Location
The Netherlands
Just received the following message:

TITLE:
MySQL Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA16170

VERIFY ADVISORY:
http://secunia.com/advisories/16170/

CRITICAL:
Highly critical

IMPACT:
DoS, System access

WHERE:
>From remote

SOFTWARE:
MySQL 4.x
http://secunia.com/product/404/

DESCRIPTION:
Some vulnerabilities have been reported in MySQL, which can be
exploited by malicious users to cause a DoS (Denial of Service), or
potentially by malicious people to execute arbitrary code.

1) MySQL uses a vulnerable version of the zlib library.

For more information:
SA15949

2) It is possible for malicious users to crash the server in various
ways. See the vendor advisory for details.

SOLUTION:
Update to version 4.1.13.

PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.

ORIGINAL ADVISORY:
http://dev.mysql.com/doc/mysql/en/news-4-1-13.html
Click to expand...

All fine and well, but what should be done with 4.0.x servers ?
I know 4.1 is stable, but still, I really wouldn't like to have to replace 4.0 on our main production servers...
 
Have any other security companies released similar statements? If only one makes the announcement, it makes you wonder...
 
There is either a mistake in that announcement or mysql 4.0.x has no fix.

I would expect the vulnerability is only in 4.1.x.
 
jmstacey said:
Have any other security companies released similar statements? If only one makes the announcement, it makes you wonder...
Click to expand...
Haven't received any other here yet.

I would expect the vulnerability is only in 4.1.x.
Click to expand...
When thinking about that, it seems likely it would only be 4.1.x...

<insert few min>

Yeah, Secunia fckd up...

From the changelog, there is an reference to the bug in the mysql bugtracking system (http://bugs.mysql.com/bug.php?id=11844), where was stated:
[11 Jul 19:37] Jim Winstead

This only impacts MySQL 4.1 and later, as 4.0 (and earlier) includes an earlier
version of zlib that is reportedly not vulnerable.

[13 Jul 18:30] Jim Winstead

Fixed in 4.1.13 and 5.0.10.
Click to expand...

Hmm, next time, I'll check a bit before I post and trust Secunia... :mad:
 
You must log in or register to reply here.
Back
Top