Rapid7 Vulnerability & Exploit Database

RHSA-2007:0894: mysql security update

Back to Search

RHSA-2007:0894: mysql security update

Severity
6
CVSS
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Published
05/15/2007
Created
07/25/2018
Added
11/26/2007
Modified
07/12/2017

Description

Updated MySQL packages for the Red Hat Application Stack comprising the v1.2 release fixed various security issues. The security issues in this errata are rated as having important security impact by the Red Hat Security Response Team.

On the 23rd August 2007, Red Hat Application Stack v1.2 was released. This release contained a new version of MySQL that corrected several security issues found in the MySQL packages of Red Hat Application Stack v1.1. Users who have already updated to Red Hat Application Stack v1.2 will already have the new MySQL packages and are not affected by these issues. A flaw was discovered in MySQL's authentication protocol. A remote unauthenticated attacker could send a specially crafted authentication request to the MySQL server causing it to crash. (CVE-2007-3780) MySQL did not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement. A remote authenticated user could obtain sensitive information such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed remote authenticated users to gain update privileges for a table in another database via a view that refers to the external table (CVE-2007-3782). A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. A remote authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL did not require the DROP privilege for RENAME TABLE statements. A remote authenticated users could use this flaw to rename arbitrary tables. (CVE-2007-2691)

Solution(s)

  • redhat-upgrade-mysql
  • redhat-upgrade-mysql-bench
  • redhat-upgrade-mysql-cluster
  • redhat-upgrade-mysql-devel
  • redhat-upgrade-mysql-libs
  • redhat-upgrade-mysql-server
  • redhat-upgrade-mysql-test

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;