From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon Dec 29 16:20:01 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F1C8E106566C;
	Mon, 29 Dec 2008 16:20:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id D10238FC1C;
	Mon, 29 Dec 2008 16:20:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBTGK1nP030535;
	Mon, 29 Dec 2008 16:20:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBTGK1NT030534;
	Mon, 29 Dec 2008 16:20:01 GMT (envelope-from gnats)
Resent-Date: Mon, 29 Dec 2008 16:20:01 GMT
Resent-Message-Id: <200812291620.mBTGK1NT030534@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Cc: ale@freebsd.org
Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org,
	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7BFF3106564A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 29 Dec 2008 16:14:44 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 343AE8FC08
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 29 Dec 2008 16:14:44 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from phoenix.codelabs.ru (ppp85-141-64-192.pppoe.mtu-net.ru
	[85.141.64.192])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1LHKlO-000MU4-Rx for FreeBSD-gnats-submit@freebsd.org;
	Mon, 29 Dec 2008 19:14:43 +0300
Message-Id: <20081229161443.4F595B8019@phoenix.codelabs.ru>
Date: Mon, 29 Dec 2008 19:14:43 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
X-GNATS-Notify: ale@freebsd.org
Cc: 
Subject: ports/130025: [vuxml] databases/mysql41-server: document
	CVE-2007-2691, CVE-2007-3780 and CVE-2007-5969
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2008 16:20:02 -0000


>Number:         130025
>Category:       ports
>Synopsis:       [vuxml] databases/mysql41-server: document CVE-2007-2691, CVE-2007-3780 and CVE-2007-5969
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 29 16:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

Document multiple issues that are still real for
databases/mysql41-server, since it stays (almost) at 4.1.22.  Vulnerable
versions of FreeBSD ports for 5.0, 5.1 and 6.0 are at least 1.5 years
old, so I am mentioning them mostly for the completeness.

>How-To-Repeat:

See
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2691
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3780
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5969
and references therein, especially MySQL bug entries.

>Fix:

The following VuXML entries should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="58d1e7da-d5b9-11dd-b0cc-001fc66e7203">
    <topic>mysql -- renaming of arbitrary tables by authenticated users</topic>
    <affects>
      <package>
        <name>mysql-server</name>
        <range><ge>4.1</ge><lt>4.1.23</lt></range>
        <range><ge>5.0</ge><lt>5.0.42</lt></range>
        <range><ge>5.1</ge><lt>5.1.18</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>MySQL developers report:</p>
        <blockquote
          cite="http://dev.mysql.com/doc/refman/4.1/en/news-4-1-23.html">
          <p>The requirement of the DROP privilege for RENAME TABLE was
          not enforced.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2007-2691</cvename>
      <bid>24016</bid>
      <url>http://bugs.mysql.com/bug.php?id=27515</url>
    </references>
    <dates>
      <discovery>15-05-2007</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

--- vuln.xml begins here ---
  <vuln vid="c8d17c48-d5b7-11dd-b0cc-001fc66e7203">
    <topic>mysql -- remote Denial of Service via malformed password packet</topic>
    <affects>
      <package>
        <name>mysql-server</name>
        <range><ge>4.1</ge><lt>4.1.24</lt></range>
        <range><ge>5.0</ge><lt>5.0.44</lt></range>
        <range><ge>5.1</ge><lt>5.1.20</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>MySQL developers report:</p>
        <blockquote
          cite="http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.html">
          <p>A malformed password packet in the connection protocol
          could cause the server to crash.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2007-3780</cvename>
      <bid>25017</bid>
      <url>http://bugs.mysql.com/bug.php?id=28984</url>
    </references>
    <dates>
      <discovery>15-07-2007</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

--- vuln.xml begins here ---
  <vuln vid="06f88a78-d5bf-11dd-b0cc-001fc66e7203">
    <topic>mysql -- privilege escalation and overwrite of the system table information</topic>
    <affects>
      <package>
        <name>mysql-server</name>
        <range><ge>4.1</ge><lt>4.1.24</lt></range>
        <range><ge>5.0</ge><lt>5.0.51</lt></range>
        <range><ge>5.1</ge><lt>5.1.23</lt></range>
        <range><ge>6.0</ge><lt>6.0.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>MySQL developers report:</p>
        <blockquote
          cite="http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.html">
          <p>Using RENAME TABLE against a table with explicit DATA
          DIRECTORY and INDEX DIRECTORY options can be used to overwrite
          system table information by replacing the symbolic link
          points. the file to which the symlink points.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2007-5969</cvename>
      <bid>26765</bid>
      <url>http://bugs.mysql.com/bug.php?id=32111</url>
    </references>
    <dates>
      <discovery>14-11-2007</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

I would collapse them all into a single entry, but versions of affected
products are different for each entry, so it is not possible without
cheating and cheating is bad ;)

All these should gone when ports/130023 or its variation will be
committed into FreeBSD ports tree.
>Release-Note:
>Audit-Trail:
>Unformatted: