GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Aug 06, 2006 9:26 pm Post subject: [ GLSA 200608-09 ] MySQL: Denial of Service |
 |
|
Gentoo Linux Security Advisory
Title: MySQL: Denial of Service (GLSA 200608-09)
Severity: normal
Exploitable: remote
Date: August 06, 2006
Updated: August 07, 2006
Bug(s): #142429
ID: 200608-09
Synopsis
An authenticated user can crash MySQL through invalid parameters to the date_format function.
Background
MySQL is a popular multi-threaded, multi-user SQL server.
Affected Packages
Package: dev-db/mysql
Vulnerable: < 4.1.21
Unaffected: >= 4.1.21
Unaffected: < 4.1.0
Architectures: All supported architectures
Description
Jean-David Maillefer discovered a format string vulnerability in time.cc where MySQL fails to properly handle specially formatted user input to the date_format function.
Impact
By specifying a format string as the first parameter to the date_format function, an authenticated attacker could cause MySQL to crash, resulting in a Denial of Service.
Workaround
There is no known workaround at this time.
Resolution
All MySQL users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --verbose --oneshot ">=dev-db/mysql-4.1.21" |
References
CVE-2006-3469
Last edited by GLSA on Tue Aug 08, 2006 4:19 am; edited 1 time in total |
|
News & Announcements
