Updates for MySQL remedy vulnerabilities
The developers of the widely used MySQL open source database have released new versions and announced others to remedy three vulnerabilities. Under certain circumstances, attackers can reportedly manipulate information in a system table by replacing symbolic links when a table is renamed. The security advisory at MySQL.org does not provide any further details.
In addition, a server can be crashed when it is handling federated tables, which are stored on another database server; MySQL queries them remotely. If the remote server then responds with fewer columns than expected, the local server crashes.
Furthermore, in some cases a flaw in the command ALTER VIEW may allow a user to inherit a previous user's right to that view. The flaws affect all versions of MySQL. They have, however, been remedied in the currently available versions MySQL Enterprise 5.0.52 [MRU] and MySQL Community Server 5.0.51. The flaws have also reportedly been remedied in MySQL 5.1.23 and MySQL 6.0.4, though the latter is not yet officially available for downloading.
In addition to security fixes, a number of improvements have been made to the database. Finally, numerous minor flaws that did not affect security have also been remedied.
- MySQL allows remote authenticated users to gain privileges, CVE security advisory
- Remote authenticated users can overwrite system table information, CVE security advisory
- Changes in MySQL 5.1.23 (Not yet released), MySQL.org announcement