We had a compiling problem on the SL4 x86_64 rpms. It has been fixed and is working now. Both the x86_64 and i386 rpm's have been rebuilt with the new name to keep consistency. No code has been changed. The rpm's were only recompiled. SL 4.x SRPMS: mysql-4.1.22-2.el4.sl.src.rpm i386: mysql-4.1.22-2.el4.sl.i386.rpm mysql-bench-4.1.22-2.el4.sl.i386.rpm mysql-devel-4.1.22-2.el4.sl.i386.rpm mysql-server-4.1.22-2.el4.sl.i386.rpm x86_64: mysql-4.1.22-2.el4.sl.i386.rpm mysql-4.1.22-2.el4.sl.x86_64.rpm mysql-bench-4.1.22-2.el4.sl.x86_64.rpm mysql-devel-4.1.22-2.el4.sl.i386.rpm mysql-devel-4.1.22-2.el4.sl.x86_64.rpm mysql-server-4.1.22-2.el4.sl.x86_64.rpm Troy Troy Dawson wrote: > Synopsis: Moderate: mysql security, bug fix, and enhancement update > Issue date: 2008-07-24 > CVE Names: CVE-2006-3469 CVE-2006-4031 CVE-2007-2691 > CVE-2008-2079 > > MySQL did not correctly check directories used as arguments for the DATA > DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated > attacker could elevate their access privileges to tables created by other > database users. Note: this attack does not work on existing tables. An > attacker can only elevate their access to another user's tables as the > tables are created. As well, the names of these created tables need to be > predicted correctly for this attack to succeed. (CVE-2008-2079) > > MySQL did not require the "DROP" privilege for "RENAME TABLE" statements. > An authenticated user could use this flaw to rename arbitrary tables. > (CVE-2007-2691) > > MySQL allowed an authenticated user to access a table through a previously > created MERGE table, even after the user's privileges were revoked from the > original table, which might violate intended security policy. This is > addressed by allowing the MERGE storage engine to be disabled, which can be > done by running mysqld with the "--skip-merge" option. (CVE-2006-4031) > > A flaw in MySQL allowed an authenticated user to cause the MySQL daemon to > crash via crafted SQL queries. This only caused a temporary denial of > service, as the MySQL daemon is automatically restarted after the crash. > (CVE-2006-3469) > > As well, these updated packages fix the following bugs: > > * in the previous mysql packages, if a column name was referenced more > than once in an "ORDER BY" section of a query, a segmentation fault > occurred. > > * when MySQL failed to start, the init script returned a successful (0) > exit code. When using the Red Hat Cluster Suite, this may have caused > cluster services to report a successful start, even when MySQL failed to > start. In these updated packages, the init script returns the correct exit > codes, which resolves this issue. > > * it was possible to use the mysqld_safe command to specify invalid port > numbers (higher than 65536), causing invalid ports to be created, and, in > some cases, a "port number definition: unsigned short" error. In these > updated packages, when an invalid port number is specified, the default > port number is used. > > * when setting "myisam_repair_threads > 1", any repair set the index > cardinality to "1", regardless of the table size. > > * the MySQL init script no longer runs "chmod -R" on the entire database > directory tree during every startup. > > * when running "mysqldump" with the MySQL 4.0 compatibility mode option, > "--compatible=mysql40", mysqldump created dumps that omitted the > "auto_increment" field. > > As well, the MySQL init script now uses more reliable methods for > determining parameters, such as the data directory location. > > Note: these updated packages upgrade MySQL to version 4.1.22. For a full > list of bug fixes and enhancements, refer to the MySQL release notes: > http://dev.mysql.com/doc/refman/4.1/en/news-4-1-22.html > > SL 4.x > > SRPMS: > mysql-4.1.22-2.el4.src.rpm > i386: > mysql-4.1.22-2.el4.i386.rpm > mysql-bench-4.1.22-2.el4.i386.rpm > mysql-devel-4.1.22-2.el4.i386.rpm > mysql-server-4.1.22-2.el4.i386.rpm > x86_64: > mysql-4.1.22-2.el4.i386.rpm > mysql-4.1.22-2.el4.x86_64.rpm > mysql-bench-4.1.22-2.el4.x86_64.rpm > mysql-devel-4.1.22-2.el4.i386.rpm > mysql-devel-4.1.22-2.el4.x86_64.rpm > mysql-server-4.1.22-2.el4.x86_64.rpm > > -Connie Sieh > -Troy Dawson > > -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/LCSI/CSI DSS Group __________________________________________________