Status of MySQL 3.23/4.0 regarding 5.0.22 security bug? - Christian Hammers - com.mysql.lists.packagers

5 messages in com.mysql.lists.packagersStatus of MySQL 3.23/4.0 regarding 5....

From	Sent On	Attachments
Joerg Bruehe	31 May 2006 10:34
Christian Hammers	31 May 2006 16:23
Lenz Grimmer	08 Jun 2006 05:00
Christian Hammers	08 Jun 2006 05:37
Lenz Grimmer	08 Jun 2006 05:47

Subject:	Status of MySQL 3.23/4.0 regarding 5.0.22 security bug?
From:	Christian Hammers (ch...@debian.org)
Date:	05/31/2006 04:23:55 PM
List:	com.mysql.lists.packagers

Hello

On 2006-05-31 Joerg Bruehe wrote:

Solution This vulnerability of mysql_real_escape_string() is fixed in the latest certified binary releases of 4.1.16a and 5.0.17c, as well as in MySQL versions 4.1.20, 5.0.22, and 5.1.11-beta (not yet released).

Debian likes to provide security updates for our last two releases which shipped with MySQL 3.23.49 and 4.0.24. Can you commend upon their vulnerability and maybe even provide patches? The 4.1 and 5.0 diffs were almost the same but do not apply to 3.23 and 4.0 which, too, look very similar so maybe at least a patch for 4.0 would be enough for us.

Do you have a prove of concept exploit that we could use to verify that our security uploads really fix the problem?

Has there already a CVE id assigned to this issue or did you contact anybody to do so? Else the Debian Security Team could register one.

bye,

-christian-