Advisories:rPSA-2006-0147

From rPath Wiki

rPath Security Advisory 2006-0147-2

Published: 2006-08-07

Updated

1. 2006-08-25 Fixed server crash with temporary tables (MySQL bug 21582)

Products

• rPath Linux 1

Rating

Informational

Exposure Level Classification

Local Non-deterministic Weakness

Updated Versions

• mysql=conary.rpath.com@rpl:1/5.0.24-2-0.1
• mysql-bench=conary.rpath.com@rpl:1/5.0.24-2-0.1
• mysql-server=conary.rpath.com@rpl:1/5.0.24-2-0.1

rPath Issue Tracking System

• RPL-568

References

• http://bugs.mysql.com/15195
• http://bugs.mysql.com/21582

Description

In previous versions of the mysql package, there is no option to disable

the MERGE storage engine, which can lead to a various vulnerabilities if

a user's privileges are revoked on a target table but not on a MERGE

table that references it. In this version of the mysql package, the

mysql server has a new "--skip-merge" option that disables the MERGE

storage engine, which can be used to limit exposure to this potential

weakness. Using the "--skip-merge" option also limits functionality,

and it should not be enabled without consideration for local usage

requirements.

The initial version of the mysql 5.0.24 packages had a bug which

caused occasional server crashes with extensive temporary table use.

This bug has been resolved by an official MySQL patch in subsequent

versions.

Copyright 2006 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html