-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: MySQL remote access vulnerability Advisory number: CSSA-2000-003.0 Issue date: 2000 February, 14 Cross reference: ______________________________________________________________________________ 1. Problem Description A vulnerability in the authentication function of MySQL has been discovered. Any user on a machine that is allowed to connect to the MySQL server and who knows a valid username for the MySQL server can skip password authentication. 2. Vulnerable Versions Systems : OpenLinux eServer 2.3 Packages: previous to mysql-3.22.32-1S OpenLinux Desktop 2.3 is not affected. 3. Solution The proper solution is to upgrade to the latest packages rpm -F mysql-devel-3.22.32-1S.i386.rpm rpm -F mysql-bench-3.22.32-1S.i386.rpm rpm -F --force mysql-client-3.22.32-1S.i386.rpm rpm -F mysql-3.22.32-1S.i386.rpm 4. Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/eServer/updates/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderaystems.com/pub/eServer/updates/2.3/current/SRPMS 5. Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F mysql-devel-3.22.32-1S.i386.rpm rpm -F mysql-bench-3.22.32-1S.i386.rpm rpm -F --force mysql-client-3.22.32-1S.i386.rpm rpm -F mysql-3.22.32-1S.i386.rpm 6. Verification 4f0319e027d3f402eebbd90f6ae66762 RPMS/mysql-3.22.32-1S.i386.rpm ca5f5a3c1102370d0a23a1eea1cef969 RPMS/mysql-bench-3.22.32-1S.i386.rpm 755340507399a63df33a96786f907d14 RPMS/mysql-client-3.22.32-1S.i386.rpm 18fd772e2430c0f5ab0e8632559ee2a0 RPMS/mysql-devel-3.22.32-1S.i386.rpm f2d08e08b92348c8427a89ab8800b395 SRPMS/mysql-3.22.32-1S.src.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOKhigun+9R4958LpAQFuHgQAud3+RF1IHkvC32nkm4YUpyNXavX6uXDa QErO3icgYNPea4H2ylfzLoNdYEF+tbXHHDM9ykAUc5FW07ar21UnXvbXoazflZ76 9m61z8i8nCenxHKfnnIC66Fbc2uB6oT7eyg4h9SV2tjbcuXJTi/Xdq057D4KUyfL gGln12NR/tI= =zOU7 -----END PGP SIGNATURE-----