Advisories MDKSA-2007:243: Updated MySQL packages fix multiple vulnerabilities

[paul]

A vulnerability in MySQL prior to 5.0.45 did not require priveliges

such as SELECT for the source table in a CREATE TABLE LIKE statement,

allowing remote authenticated users to obtain sensitive information

such as the table structure (CVE-2007-3781).

 

A vulnerability in the InnoDB engine in MySQL allowed remote

authenticated users to cause a denial of service (database crash)

via certain CONTAINS operations on an indexed column, which triggered

an assertion error (CVE-2007-5925).

 

Using RENAME TABLE against a table with explicit DATA DIRECTORY and

INDEX DIRECTORY options could be used to overwrite system table

information by replacing the file to which a symlink pointed to

(CVE-2007-5969).

 

The updated packages have been patched to correct these issues.