Rapid7 Vulnerability & Exploit Database

RHSA-2010:0442: mysql security update

Back to Search

RHSA-2010:0442: mysql security update



MySQL is a multi-user, multi-threaded SQL database server. It consists ofthe MySQL server daemon (mysqld) and many client programs and libraries.A buffer overflow flaw was found in the way MySQL handled the parameters ofthe MySQL COM_FIELD_LIST network protocol command (this command is sentwhen a client uses the MySQL mysql_list_fields() client library function).An authenticated database user could send a request with an excessivelylong table name to cause a temporary denial of service (mysqld crash) or,potentially, execute arbitrary code with the privileges of the databaseserver. (CVE-2010-1850)A directory traversal flaw was found in the way MySQL handled theparameters of the MySQL COM_FIELD_LIST network protocol command. Anauthenticated database user could use this flaw to obtain descriptions ofthe fields of an arbitrary table using a request with a specially-craftedtable name. (CVE-2010-1848)A flaw was discovered in the way MySQL handled symbolic links to tablescreated using the DATA DIRECTORY and INDEX DIRECTORY directives in CREATETABLE statements. An attacker with CREATE and DROP table privileges, andshell access to the database server, could use this flaw to remove data andindex files of tables created by other database users using the MyISAMstorage engine. (CVE-2010-1626)All MySQL users are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. After installing thisupdate, the MySQL server daemon (mysqld) will be restarted automatically.


  • redhat-upgrade-mysql
  • redhat-upgrade-mysql-bench
  • redhat-upgrade-mysql-devel
  • redhat-upgrade-mysql-server
  • redhat-upgrade-mysql-test

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center