| MySQL Vulnerabilities |
| Courtesy: Sukh | |
|
Welcome to Security Alerts, an overview of recent Unix and open source security advisories.In this column, we look at a problem with Perl's safe mode; some serious vulnerabilities in MySQL; buffer overflows in wget, tcpdump, Canna, and GTetrinet; and problems in lynx, mICQ, Sun Cobalt RaQ 4 Server Appliances, xdvi, dvips, and Exim. * Perl * MySQL * wget * lynx * mICQ * Sun Cobalt RaQ 4 Server Appliances * xdvi and dvips (kpathsea library) * tcpdump * GTetrinet * Exim * Canna * OpenLDAP2 Perl The safe extension module safe.pm that is distributed with all versions of the Perl programming language has a security flaw that is exploitable when a Safe compartment is used multiple times. Affected users should contact their vendor for updated packages. MySQL MySQL has several vulnerabilities that can be used to execute arbitrary code or used in a denial-of-service attack against the database server. These vulnerabilities include: * A buffer overflow in the code that handles COM_TABLE_DUMP can be used in a denial-of-service attack. The buffer overflow is reported to affect Linux, FreeBSD, and MS Windows systems. * There is a flaw in the password authentication system in MySQL that makes it possible for an attacker to authenticate as another user in no more than 32 attempts. The attacker must have a valid account and can only attack accounts that have permission to log in from the host they are on. A local user or a remote user in an environment that allows remote root logins can gain full access to all databases. There is also a buffer overflow in the password authentication system. * The MySQL client is vulnerable to a buffer overflow when it reads rows from the database. This vulnerability can be used in a denial-of-service attack against the client and may, under some circumstances, be exploitable to execute code on the client machine. It is recommended that users upgrade to MySQL 3.23.54 as soon as possible. Any software that is linked against libmysql should also be upgraded or recompiled. wget Several problems have been reported in wget, a file retrieval utility that uses FTP or HTTP to fetch files across a network. These problems include a buffer overflow in the code that handles the URL of the file to be retrieved, and a problem with the processing of FTP server responses that can result, under some conditions, in arbitrary local files being overwritten. Users should watch their vendor for an updated package that repairs this problem. lynx The text-based Web browser lynx does not properly filter all illegal characters. This can be used by an attacker to insert extra HTTP headers into a request. Affected users should watch their vendor for an updated version. mICQ The text-based ICQ client mICQ is vulnerable to a denial-of-service attack. This attack is conducted by sending the client ICQ messages that do not contain the required separator 0xFE. Users of mICQ should watch for a repaired version. Sun Cobalt RaQ 4 Server Appliances The Sun Cobalt RaQ 4 server appliances package, with the Security Hardening package (RaQ4-SHP Release 1.x.x) installed, has a vulnerability that can be exploited by a remote attacker to execute arbitrary code with root permissions. The vulnerability is in a CGI application installed on the server. It is reported that a script to automate exploitation of this vulnerability is available. It is recommended that users apply the update available from Sun as soon as possible. xdvi and dvips (kpathsea library) The kpathsea library, which is used by xdvi and dvips, calls system() in an insecure manner. This may be exploitable using a carefully-crafted DVI file to execute arbitrary commands with the permissions of the user running xdvi or dvips (often the printer user account lp). Users should watch their vendor for an updated version of the kpathsea library and should recompile any applications that were statically linked to the vulnerable version. tcpdump tcpdump is vulnerable to a remotely exploitable buffer overflow in the code that handles BGP decoding. This buffer overflow can be used to crash tcpdump and may under some conditions be exploited to execute code with the permissions of the user running tcpdump (often root). Users should contact their vendors for a repaired version of tcpdump and should consider disabling it until it has been repaired. GTetrinet GTetrinet, a multi-player game, is vulnerable to several buffer overflows that can be exploited by a GTetrinet server. Affected users should upgrade to GTetrinet 0.4.4 as soon as possible. If GTetrinet is not being used, users should consider removing it from the system. Exim The Exim message transfer agent has a vulnerability that can be exploited by a local attacker who has access to the admin user of Exim to gain root permissions. The admin user of Exim is set when the software is compiled. A program to automate the exploitation of this vulnerability has been released. Concerned users should upgrade Exim to a repaired version. Canna Canna, a server used to enable Japanese-language input, has a buffer overflow that can be exploited to execute code with the permissions of the user running Canna (usually bin). The buffer overflow is present in all version of Canna through version 3.5b2. An additional vulnerability can be exploited in a remote denial-of-service attack and affects versions of Canna through 3.6. Users should watch their vendor for updated packages which repair these problems. OpenLDAP2 OpenLDAP2 is an open source version of Lightweight Directory Access Protocol (LDAP) tools and servers. Buffer overflows have been found in OpenLDAP2 that can be remotely exploited to execute arbitrary commands on the server. Also, other locally-exploitable problems have been found. |
| < Prev | Next > |
|---|