MDKSA-2006:149

Package name

MySQL

Date

2006-08-24

Advisory ID

MDKSA-2006:149

Affected versions

2006.0 i586 , 2006.0 x86_64

Problem description

MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to
access a table through a previously created MERGE table, even after the
user's privileges are revoked for the original table, which might
violate intended security policy (CVE-2006-4031).

The update allows the local admin to override MERGE using the
'--skip-merge' option when running mysqld. This can be defined under
MYSQLD_OPTIONS in /etc/sysconfig/mysqld. If '--skip-merge' is not used,
the old behaviour of MERGE tables is still used.

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12,
when run on case-sensitive filesystems, allows remote authenticated
users to create or access a database when the database name differs
only in case from a database for which they have permissions
(CVE-2006-4226).

Packages have been patched to correct these issues.

Updated packages

2006.0 i586

 33376bae20533f62ef5b549b34167843  2006.0/RPMS/libmysql14-4.1.12-4.6.20060mdk.i586.rpm
 8f979c11aff7632c2baf8a16dfd20f7d  2006.0/RPMS/libmysql14-devel-4.1.12-4.6.20060mdk.i586.rpm
 efdf42901fb07957dcae0667f4224c79  2006.0/RPMS/MySQL-4.1.12-4.6.20060mdk.i586.rpm
 b8af458067a90bdc24572e5e4e65486e  2006.0/RPMS/MySQL-bench-4.1.12-4.6.20060mdk.i586.rpm
 bc50ec326174fd40d4305fd869f40148  2006.0/RPMS/MySQL-client-4.1.12-4.6.20060mdk.i586.rpm
 af157fcfa86fe01b523382b9b4cf7574  2006.0/RPMS/MySQL-common-4.1.12-4.6.20060mdk.i586.rpm
 48ff5161c87ea0b2a562d8a85c71ba77  2006.0/RPMS/MySQL-Max-4.1.12-4.6.20060mdk.i586.rpm
 9fbe8915b7e10bbb059f40ce2d87fc79  2006.0/RPMS/MySQL-NDB-4.1.12-4.6.20060mdk.i586.rpm
 12ec1435c493ec7d4503a70a114bb0ff  2006.0/SRPMS/MySQL-4.1.12-4.6.20060mdk.src.rpm

2006.0 x86_64

 a3e7eb190788f55675f32149061b76bc  x86_64/2006.0/RPMS/lib64mysql14-4.1.12-4.6.20060mdk.x86_64.rpm
 f73190c2eb69d25456268504eed1b8f8  x86_64/2006.0/RPMS/lib64mysql14-devel-4.1.12-4.6.20060mdk.x86_64.rpm
 03695f3ec8872dc610c5f6dd938bf9b5  x86_64/2006.0/RPMS/MySQL-4.1.12-4.6.20060mdk.x86_64.rpm
 76935c458a2f18d93940c352f9c19151  x86_64/2006.0/RPMS/MySQL-bench-4.1.12-4.6.20060mdk.x86_64.rpm
 8af8fbdf8931ec7a1da24dd06a8c26cc  x86_64/2006.0/RPMS/MySQL-client-4.1.12-4.6.20060mdk.x86_64.rpm
 a7d2e88a3f0b7d5be8b3243978992d94  x86_64/2006.0/RPMS/MySQL-common-4.1.12-4.6.20060mdk.x86_64.rpm
 c9f07a98015f74b918d622501a059c23  x86_64/2006.0/RPMS/MySQL-Max-4.1.12-4.6.20060mdk.x86_64.rpm
 70cebedfedcd93bb5a46b3852ba3e1a1  x86_64/2006.0/RPMS/MySQL-NDB-4.1.12-4.6.20060mdk.x86_64.rpm
 12ec1435c493ec7d4503a70a114bb0ff  x86_64/2006.0/SRPMS/MySQL-4.1.12-4.6.20060mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4031
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4226