Security holes discovered in the MySQL open-source database and
client software could allow an attacker to launch a denial of
service attack or gain administrative access to the database
server, according to an alert posted by German security company
e-matters.
MySQL is a popular database server, with more than four million
installations worldwide, supporting high-profile Web sites and
business applications.
It can be run on a variety of operating systems including
Microsoft's Windows as well as Linux and Unix.
The advisory by e-matters identifies four separate vulnerabilities
in the MySQL code, two affecting the MySQL server component and two
affecting the MySQL client.
All four vulnerabilities could be used to execute denial of service
attacks against the affected MySQL component, exploiting the flaws
to crash the server or client.
The vulnerabilities range from buffer overflows that can cause
MySQL component crashes to others that could allow malicious code
to be read and executed on an affected machine.
One of the server vulnerabilities could also allow an attacker to
break into the MySQL root account and compromise the databases
running on that server.
Used in combination with each other, the vulnerabilities could
allow an attacker to break into a system running the MySQL database
server software or elevate his or her access privileges on that
system, e-matters said.
The vulnerabilities have been fixed in the latest version MySQL
Database Server and e-matters is urging users to update their
installations.
www.mysql.com/downloads/mysql-3.23.html
A number of software vendors have also issued alerts and software
updates covering the MySQL vulnerabilities in their own products.
Guardian Digital issued an advisory encouraging users of its
EnGarde Secure Linux product to update their systems to use the
patched version of MySQL, as did the makers of Gentoo Linux, a free
Linux distribution.