LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Pardus alert 2010-29 (mysql-server)



From:
    	      Eren Turkay <eren@pardus.org.tr> 


To:
    	      pardus-security@pardus.org.tr 


Subject:
    	      [Pardus-security] [PLSA 2010-29] MySQL: Privilege Check Bypass 


Date:
    	      Tue,  9 Feb 2010 22:56:09 +0200 (EET)


Message-ID:
    	      <20100209205609.47163A7ACF1@lider.pardus.org.tr>


Archive-link:
    	      Article, Thread
              


------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-29            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-02-09
  Severity: 3
      Type: Local
------------------------------------------------------------------------

Summary
=======

A security issue has been fixed in MySQL, which  can  be  exploited  by 
malicious, local users to bypass certain security restrictions. 


Description
===========

sql/sql_table.cc in MySQL, when the  data  home  directory  contains  a 
symlink to a different filesystem, allows remote authenticated users to 
bypass intended access restrictions by calling CREATE TABLE with a  (1) 
DATA  DIRECTORY or  (2)  INDEX  DIRECTORY  argument  referring  to   a  
subdirectory that requires following this symlink. 


Affected packages:

  Pardus 2009:
    mysql-server, all before 5.1.41-46-9


Resolution
==========

There are update(s) for mysql-server. You can update them  via  Package 
Manager or with a single command from console: 

    pisi up mysql-server

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=12211
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7247

------------------------------------------------------------------------

_______________________________________________
Pardus-security mailing list
Pardus-security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds