Subject: pkg/19750: databases/mysql-client & -server (version 3.23.49) has an unfixed security hole (xs4)
To: None <>
From: Rogier Krieger <>
List: netbsd-bugs
Date: 01/09/2003 02:54:08
>Number:         19750
>Category:       pkg
>Synopsis:       pkgsrc mysql packages have unfixed security risks (remote vulnerabilities)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 08 18:55:00 PST 2003
>Originator:     Rogier Krieger
>Release:        NetBSD 1.6_STABLE
KSV Sanctus Virgilius
System: NetBSD karres 1.6_STABLE NetBSD 1.6_STABLE (KARRES) #0: Fri Dec 27 13:53:52 CET 2002 root@karres:/usr/src/sys/arch/i386/compile/KARRES i386
Architecture: i386
Machine: i386
	The mysql-client and mysql-server packages in the databases directory have remotely
	exploitable vulnerabilities, according to the vulnerabilities database. They are
	of version 3.23.49.

	My daily security check is alerting me with the following two messages:

	Package mysql-client-3.23.49nb1 has a remote-code-execution vulnerability, see
	Package mysql-server-3.23.49 has a remote-code-execution vulnerability, see

	So far, I have not been able to find an updated version (3.23.54 is adversited
	at the website) for these packages, which worries me a bit.

	I guess the holidays are a problematic time for a security fix, but I just
	wanted to put in the database in case it got overlooked.

	Check the distfiles and Makefiles on the databases/mysql-client and
	databases. They list a version number of 3.23.49.

	The vulnerabilities listing has the rest.

	So far, all I can think of is either disabling the service entirely
	or to place a firewall around it for the time being. Too bad this
	cannot stop local users from exploiting the database.

	A package update should do the trick. I unfortunately do not know
	how to do such a thing. Sorry for bugging you with it.