blob: 753f5277096852fb0cacf43f1bb5e4d24a5273f7 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200608-09">
<title>MySQL: Denial of Service</title>
An authenticated user can crash MySQL through invalid parameters to the
date_format function.
<product type="ebuild">mysql</product>
<announced>August 06, 2006</announced>
<revised>August 07, 2006: 02</revised>
<package name="dev-db/mysql" auto="yes" arch="*">
<unaffected range="ge">4.1.21</unaffected>
<unaffected range="lt">4.1.0</unaffected>
<vulnerable range="lt">4.1.21</vulnerable>
MySQL is a popular multi-threaded, multi-user SQL server.
Jean-David Maillefer discovered a format string vulnerability in where MySQL fails to properly handle specially formatted user
input to the date_format function.
<impact type="normal">
By specifying a format string as the first parameter to the date_format
function, an authenticated attacker could cause MySQL to crash,
resulting in a Denial of Service.
There is no known workaround at this time.
All MySQL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --verbose --oneshot &quot;&gt;=dev-db/mysql-4.1.21&quot;</code>
<uri link="">CVE-2006-3469</uri>
<metadata tag="requester" timestamp="Sun, 06 Aug 2006 17:22:07 +0000">
<metadata tag="bugReady" timestamp="Sun, 06 Aug 2006 17:22:38 +0000">
<metadata tag="submitter" timestamp="Sun, 06 Aug 2006 18:32:52 +0000">