Rapid7 Vulnerability & Exploit Database

CESA-2003:094: mysql security update

Back to Search

CESA-2003:094: mysql security update

Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
03/24/2003
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

Updated packages are available that fix both a double-free security vulnerability and a remote root exploit security vulnerability found in the MySQL server. [Updated 11 Aug 2003] Updated mysqlclient9 packages are now included. These were previously missing from this erratum.

MySQL is a multi-user, multi-threaded SQL database server. A double-free vulnerability in mysqld, for MySQL before version 3.23.55, allows attackers with MySQL access to cause a denial of service (crash) by creating a carefully crafted client application. A remote root exploit vulnerability in mysqld, for MySQL before version 3.23.56, allows MySQL users to gain root privileges by overwriting configuration files. Previous versions of the MySQL packages do not contain the thread safe client library (libmysqlclient_r). All users of MySQL are advised to upgrade to these errata packages containing MySQL 3.23.56.

Solution(s)

  • centos-upgrade-mysql
  • centos-upgrade-mysql-devel
  • centos-upgrade-mysql-server
  • centos-upgrade-mysqlclient9

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;