UnixWare 7.1.4 : MySQL updated MySQL (version 4.1.11) fixes security issues

[please_reply_to_security () sco com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

                        SCO Security Advisory

Subject:                UnixWare 7.1.4 : MySQL updated MySQL (version 4.1.11) fixes security issues
Advisory number:        SCOSA-2005.27
Issue date:             2005 June 06
Cross reference:        sr893337 fz531603 erg712817 CAN-2004-0957
______________________________________________________________________________


1. Problem Description

        MySQL 3.23.58 and earlier, when a local user has privileges
        for a database whose name includes a "_" (underscore),
        grants privileges to other databases that have similar
        names, which can allow the user to conduct unauthorized
        activities. 

        Please note the abbreviated name of the package has been 
        changed from "mysql" to "MySQL". 

        Please see the MySQL site for the complete list of changes at:
        http://dev.mysql.com/doc/mysql/en/news-4-1-11.html 
        
        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the following name CAN-2004-0957 to this issue.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.4                  distribution

3. Solution

        The proper solution is to install the latest packages.

4. UnixWare 7.1.4

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.27

        4.2 Verification

        MD5 (MySQL-4.1.11.pkg) = 20d18d0cd571f412b211225e5088e3a2

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download MySQL-4.1.11.pkg to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/MySQL-4.1.11.pkg


5. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr893337 fz531603
        erg712817.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


7. Acknowledgments

        This vulnerability was reported to the vendor by Sergei
        Golubchik.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCpOPFaqoBO7ipriERAtZ0AKCL3SviPdj0dPsxIb+Mf+LVFC8zLwCfYVzP
1ObL4/3vIrsBk36NVESIzaA=
=B3kQ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/