Vulnerabilities > CVE-2009-4484 - Out-of-bounds Write vulnerability in multiple products

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Mysql 5.0.0 Oracle Mysql 5.1.0 Oracle Mysql 5.1.1 Oracle Mysql 5.1.2 Oracle Mysql 5.1.3 Oracle Mysql 5.1.4 Oracle Mysql 5.1.5 Oracle Mysql 5.1.5A Oracle Mysql 5.1.6 Oracle Mysql 5.1.7 Oracle Mysql 5.1.8 Oracle Mysql 5.1.9 Oracle Mysql 5.1.10 Oracle Mysql 5.1.11 Oracle Mysql 5.1.12 Oracle Mysql 5.1.13 Oracle Mysql 5.1.14 Oracle Mysql 5.1.15 Oracle Mysql 5.1.16 Oracle Mysql 5.1.17 Oracle Mysql 5.1.18 Oracle Mysql 5.1.19 Oracle Mysql 5.1.20 Oracle Mysql 5.1.21 Oracle Mysql 5.1.22 Oracle Mysql 5.1.23 Oracle Mysql 5.1.23_Bk Oracle Mysql 5.1.23A Oracle Mysql 5.1.24 Oracle Mysql 5.1.25 Oracle Mysql 5.1.26 Oracle Mysql 5.1.27 Oracle Mysql 5.1.28 Oracle Mysql 5.1.29 Oracle Mysql 5.1.30 Oracle Mysql 5.1.31 Oracle Mysql 5.1.32 Oracle Mysql 5.1.32-Bzr Oracle Mysql 5.1.33 Oracle Mysql 5.1.34 Oracle Mysql 5.1.35 Oracle Mysql 5.1.36 Oracle Mysql 5.1.37 Oracle Mysql 5.1.38 Oracle Mysql 5.1.39 Oracle Mysql 5.1.40 Oracle Mysql 5.1.41 Oracle Mysql 5.1.42 Oracle Mysql 5.0.1 Oracle Mysql 5.0.2 Oracle Mysql 5.0.3 Oracle Mysql 5.0.4 Oracle Mysql 5.0.5 Oracle Mysql 5.0.6 Oracle Mysql 5.0.7 Oracle Mysql 5.0.8 Oracle Mysql 5.0.9 Oracle Mysql 5.0.10 Oracle Mysql 5.0.11 Oracle Mysql 5.0.12 Oracle Mysql 5.0.13 Oracle Mysql 5.0.14 Oracle Mysql 5.0.15 Oracle Mysql 5.0.16 Oracle Mysql 5.0.17 Oracle Mysql 5.0.18 Oracle Mysql 5.0.19 Oracle Mysql 5.0.20 Oracle Mysql 5.0.21 Oracle Mysql 5.0.22 Oracle Mysql 5.0.23 Oracle Mysql 5.0.24 Oracle Mysql 5.0.25 Oracle Mysql 5.0.26 Oracle Mysql 5.0.27 Oracle Mysql 5.0.28 Oracle Mysql 5.0.30 Oracle Mysql 5.0.32 Oracle Mysql 5.0.33 Oracle Mysql 5.0.34 Oracle Mysql 5.0.36 Oracle Mysql 5.0.37 Oracle Mysql 5.0.38 Oracle Mysql 5.0.40 Oracle Mysql 5.0.41 Oracle Mysql 5.0.42 Oracle Mysql 5.0.44 Oracle Mysql 5.0.45 Oracle Mysql 5.0.46 Oracle Mysql 5.0.48 Oracle Mysql 5.0.50 Oracle Mysql 5.0.51 Oracle Mysql 5.0.51A Oracle Mysql 5.0.51B Oracle Mysql 5.0.52 Oracle Mysql 5.0.54 Oracle Mysql 5.0.54A Oracle Mysql 5.0.56 Oracle Mysql 5.0.58 Oracle Mysql 5.0.60 Oracle Mysql 5.0.62 Oracle Mysql 5.0.64 Oracle Mysql 5.0.66 Oracle Mysql 5.0.66A Oracle Mysql 5.0.67 Oracle Mysql 5.0.68 Oracle Mysql 5.0.70 Oracle Mysql 5.0.72 Oracle Mysql 5.0.74 Oracle Mysql 5.0.75 Oracle Mysql 5.0.76 Oracle Mysql 5.0.77 Oracle Mysql 5.0.78 Oracle Mysql 5.0.79 Oracle Mysql 5.0.80 Oracle Mysql 5.0.81 Oracle Mysql 5.0.82 Oracle Mysql 5.0.83 Oracle Mysql 5.0.84 Oracle Mysql 5.0.85 Oracle Mysql 5.0.86 Oracle Mysql 5.0.87 Oracle Mysql 5.0.88 Oracle Mysql 5.0.89	191
Application	Wolfssl Wolfssl Yassl 0.0.1 Wolfssl Yassl 0.0.2 Wolfssl Yassl 0.0.3 Wolfssl Yassl 0.1.0 Wolfssl Yassl 0.2.0 Wolfssl Yassl 0.2.5 Wolfssl Yassl 0.2.9 Wolfssl Yassl 0.3.0 Wolfssl Yassl 0.3.5 Wolfssl Yassl 0.4.0 Wolfssl Yassl 0.5.0 Wolfssl Yassl 0.6.0 Wolfssl Yassl 0.8.0 Wolfssl Yassl 0.9.0 Wolfssl Yassl 0.9.2 Wolfssl Yassl 0.9.6 Wolfssl Yassl 0.9.8 Wolfssl Yassl 0.9.9 Wolfssl Yassl 1.0 Wolfssl Yassl 1.0.1 Wolfssl Yassl 1.0.5 Wolfssl Yassl 1.0.6 Wolfssl Yassl 1.1.5 Wolfssl Yassl 1.2.0 Wolfssl Yassl 1.2.2 Wolfssl Yassl 1.3.0 Wolfssl Yassl 1.3.5 Wolfssl Yassl 1.3.7 Wolfssl Yassl 1.4.0 Wolfssl Yassl 1.4.5 Wolfssl Yassl 1.5.0 Wolfssl Yassl 1.5.8 Wolfssl Yassl 1.6.0 Wolfssl Yassl 1.6.8 Wolfssl Yassl 1.7.2 Wolfssl Yassl 1.7.5 Wolfssl Yassl 1.8.6 Wolfssl Yassl 1.8.8 Wolfssl Yassl 1.9.2 Wolfssl Yassl 1.9.6 Wolfssl Yassl 1.9.8	41
Application	Mariadb Mariadb Mariadb 5.1.41	1
OS	Canonical Canonical Ubuntu Linux 10.10 Canonical Ubuntu Linux 11.04 Canonical Ubuntu Linux 11.10 Canonical Ubuntu Linux 9.04 Canonical Ubuntu Linux 8.10 Canonical Ubuntu Linux 9.10 Canonical Ubuntu Linux 8.04 Canonical Ubuntu Linux 10.04 Canonical Ubuntu Linux 6.06	9
OS	Debian Debian Debian Linux 5.0 Debian Debian Linux 4.0 Debian Debian Linux 6.0	3

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Exploit-Db

description	MySQL yaSSL CertDecoder::GetName Buffer Overflow. CVE-2009-4484. Remote exploit for linux platform
id	EDB-ID:16850
last seen	2016-02-02
modified	2010-04-30
published	2010-04-30
reporter	metasploit
source	https://www.exploit-db.com/download/16850/
title	MySQL yaSSL CertDecoder::GetName Buffer Overflow

Metasploit

description	This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL.
id	MSF:EXPLOIT/LINUX/MYSQL/MYSQL_YASSL_GETNAME
last seen	2020-03-18
modified	2017-07-24
published	2010-01-27
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4484 http://secunia.com/advisories/38344/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/mysql/mysql_yassl_getname.rb
title	MySQL yaSSL CertDecoder::GetName Buffer Overflow

Nessus

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-897-1.NASL
description	It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This issue only affected Ubuntu 8.10. (CVE-2008-4098) It was discovered that MySQL contained a cross-site scripting vulnerability in the command-line client when the --html option is enabled. An attacker could place arbitrary web script or html in a database cell, which would then get placed in the html document output by the command-line tool. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2008-4456) It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use symlinks combined with the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This issue only affected Ubuntu 9.10. (CVE-2008-7247) It was discovered that MySQL contained multiple format string flaws when logging database creation and deletion. An authenticated user could use specially crafted database names to make MySQL crash, causing a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2009-2446) It was discovered that MySQL incorrectly handled errors when performing certain SELECT statements, and did not preserve correct flags when performing statements that use the GeomFromWKB function. An authenticated user could exploit this to make MySQL crash, causing a denial of service. (CVE-2009-4019) It was discovered that MySQL incorrectly checked symlinks when using the DATA DIRECTORY and INDEX DIRECTORY options. A local user could use symlinks to create tables that pointed to tables known to be created at a later time, bypassing access restrictions. (CVE-2009-4030) It was discovered that MySQL contained a buffer overflow when parsing ssl certificates. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 LTS and the default compiler options for affected releases should reduce the vulnerability to a denial of service. In the default installation, attackers would also be isolated by the AppArmor MySQL profile. (CVE-2009-4484). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	44585
published	2010-02-11
reporter	Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/44585
title	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-897-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-897-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(44585); script_version("1.12"); script_cvs_date("Date: 2019/09/19 12:54:26"); script_cve_id("CVE-2008-4098", "CVE-2008-4456", "CVE-2008-7247", "CVE-2009-2446", "CVE-2009-4019", "CVE-2009-4030", "CVE-2009-4484"); script_bugtraq_id(29106, 31486, 35609, 37075, 37297, 37640, 37943, 38043); script_xref(name:"USN", value:"897-1"); script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-897-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This issue only affected Ubuntu 8.10. (CVE-2008-4098) It was discovered that MySQL contained a cross-site scripting vulnerability in the command-line client when the --html option is enabled. An attacker could place arbitrary web script or html in a database cell, which would then get placed in the html document output by the command-line tool. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2008-4456) It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use symlinks combined with the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This issue only affected Ubuntu 9.10. (CVE-2008-7247) It was discovered that MySQL contained multiple format string flaws when logging database creation and deletion. An authenticated user could use specially crafted database names to make MySQL crash, causing a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2009-2446) It was discovered that MySQL incorrectly handled errors when performing certain SELECT statements, and did not preserve correct flags when performing statements that use the GeomFromWKB function. An authenticated user could exploit this to make MySQL crash, causing a denial of service. (CVE-2009-4019) It was discovered that MySQL incorrectly checked symlinks when using the DATA DIRECTORY and INDEX DIRECTORY options. A local user could use symlinks to create tables that pointed to tables known to be created at a later time, bypassing access restrictions. (CVE-2009-4030) It was discovered that MySQL contained a buffer overflow when parsing ssl certificates. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 LTS and the default compiler options for affected releases should reduce the vulnerability to a denial of service. In the default installation, attackers would also be isolated by the AppArmor MySQL profile. (CVE-2009-4484). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/897-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MySQL yaSSL CertDecoder::GetName Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(59, 79, 119, 134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient15-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient15off"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient16"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient16-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqld-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqld-pic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client-5.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client-5.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-5.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-5.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-core-5.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-core-5.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/18"); script_set_attribute(attribute:"patch_publication_date", value:"2010/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(6\.06\|8\.04\|8\.10\|9\.04\|9\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 8.10 / 9.04 / 9.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"libmysqlclient15-dev", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libmysqlclient15off", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-client", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-client-5.0", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-common", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-server", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mysql-server-5.0", pkgver:"5.0.22-0ubuntu6.06.12")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libmysqlclient15-dev", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libmysqlclient15off", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-client", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-client-5.0", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-common", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-server", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"mysql-server-5.0", pkgver:"5.0.51a-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libmysqlclient15-dev", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libmysqlclient15off", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-client", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-client-5.0", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-common", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-server", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"mysql-server-5.0", pkgver:"5.0.67-0ubuntu6.1")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libmysqlclient15-dev", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libmysqlclient15off", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-client", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-client-5.0", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-common", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-server", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-server-5.0", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"mysql-server-core-5.0", pkgver:"5.1.30really5.0.75-0ubuntu10.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqlclient-dev", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqlclient16", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqlclient16-dev", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqld-dev", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libmysqld-pic", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-client", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-client-5.1", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-common", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-server", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-server-5.1", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"mysql-server-core-5.1", pkgver:"5.1.37-1ubuntu5.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmysqlclient-dev / libmysqlclient15-dev / libmysqlclient15off / etc"); }

NASL family	Databases
NASL id	MYSQL_5_1_43_YASSL.NASL
description	The version of MySQL installed on the remote host is older than 5.0.90, 5.1.43 or 5.5.0-m2. Such versions use yaSSL prior to 1.9.9, that is vulnerable to multiple buffer overflows. These overflows allow a remote attacker to crash the server.
last seen	2020-06-01
modified	2020-06-02
plugin id	17835
published	2012-01-18
reporter	This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/17835
title	MySQL < 5.0.90 / 5.1.43 / 5.5.0-m2 Multiple Buffer Overflows

NASL family	SuSE Local Security Checks
NASL id	SUSE_MYSQL-6899.NASL
description	This update fixes various security issues (bnc#557669) : upstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)
last seen	2020-06-01
modified	2020-06-02
plugin id	49903
published	2010-10-11
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/49903
title	SuSE 10 Security Update : MySQL (ZYPP Patch Number 6899)

NASL family	SuSE Local Security Checks
NASL id	SUSE_MYSQL-6897.NASL
description	This update fixes various security issues (bnc#557669) : upstream #47320 - checking server certificates (CVE-2009-4028) upstream #48291 - error handling in subqueries (CVE-2009-4019) upstream #47780 - preserving null_value flag in GeomFromWKB() (CVE-2009-4019) upstream #39277 - symlink behaviour fixed (CVE-2008-7247) upstream #32167 - symlink behaviour refixed (CVE-2009-4030) fixing remote buffer overflow. (CVE-2009-4484)
last seen	2020-06-01
modified	2020-06-02
plugin id	45107
published	2010-03-19
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/45107
title	SuSE 10 Security Update : MySQL (ZYPP Patch Number 6897)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-1397-1.NASL
description	Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.1.61 in Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to MySQL 5.0.95. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information : http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.ht ml. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	58325
published	2012-03-13
reporter	Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/58325
title	Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 vulnerabilities (USN-1397-1)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1997.NASL
description	Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-4019 Domas Mituzas discovered that mysqld does not properly handle errors during execution of certain SELECT statements with subqueries, and does not preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement. - CVE-2009-4030 Sergei Golubchik discovered that MySQL allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory. - CVE-2009-4484 Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field.
last seen	2020-06-01
modified	2020-06-02
plugin id	44861
published	2010-02-24
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/44861
title	Debian DSA-1997-1 : mysql-dfsg-5.0 - several vulnerabilities

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201201-02.NASL
description	The remote host is affected by the vulnerability described in GLSA-201201-02 (MySQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact : An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the MySQL process, cause a Denial of Service condition, bypass security restrictions, uninstall arbitrary MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting attacks. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	57446
published	2012-01-06
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/57446
title	GLSA-201201-02 : MySQL: Multiple vulnerabilities

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:19118
last seen	2017-11-19
modified	2010-02-13
published	2010-02-13
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-19118
title	MySQL vulnerabilities

Statements

contributor	Tomas Hoger
lastmodified	2010-01-26
organization	Red Hat
statement	Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5. The packages use OpenSSL and not yaSSL.

Summary