[Pkg-mysql-commits] r1125 - in trunk/debian: . patches

Norbert Tretkowski nobse at alioth.debian.org
Wed Jan 23 07:58:42 UTC 2008 

Author: nobse
Date: 2008-01-23 07:58:42 +0000 (Wed, 23 Jan 2008)
New Revision: 1125

Modified:
   trunk/debian/changelog
   trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch
Log:
Updated patch description for CVE-2008-0226 and CVE-2008-0227.

Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2008-01-22 18:48:14 UTC (rev 1124)
+++ trunk/debian/changelog	2008-01-23 07:58:42 UTC (rev 1125)
@@ -1,11 +1,12 @@
 mysql-dfsg-5.0 (5.0.51-3) UNRELEASED; urgency=high
 
   * SECURITY:
-    Fix for CVE-2008-0226 and CVE-2008-0227: yaSSL was subject to a pre-
-    authentication buffer-overflow exploit that could lead to remote code
-    execution or a server crash. The exploit requires a server with yaSSL
-    enabled and TCP/IP connections enabled. The exploit does not apply to
-    OpenSSL. (closes: #460873)
+    Fix for CVE-2008-0226 and CVE-2008-0227: Three vulnerabilities in yaSSL
+    versions 1.7.5 and earlier were discovered that could lead to a server
+    crash or execution of unauthorized code. The exploit requires a server
+    with yaSSL enabled and TCP/IP connections enabled, but does not require
+    valid MySQL account credentials. The exploit does not apply to OpenSSL.
+    (closes: #460873)
   * Fix LSB header in init scripts (patch from Petter Reinholdtsen).
     (closes: #458798)
   * Run testsuite on all archs, but ignore errors on alpha, arm, armel, hppa,

Modified: trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch
===================================================================
--- trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch	2008-01-22 18:48:14 UTC (rev 1124)
+++ trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch	2008-01-23 07:58:42 UTC (rev 1125)
@@ -2,11 +2,11 @@
 ## 94_SECURITY_CVE-2008-0226+0227.dpatch by Norbert Tretkowski <nobse at debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix for CVE-2008-0226 and CVE-2008-0227: yaSSL was subject to a
-## pre-authentication buffer-overflow exploit that could lead to remote
-## code execution or a server crash. The exploit requires a server with
-## yaSSL enabled and TCP/IP connections enabled. The exploit does not
-## apply to OpenSSL. (closes: #460873)
+## DP: Fix for CVE-2008-0226 and CVE-2008-0227: Three vulnerabilities in yaSSL
+## DP: versions 1.7.5 and earlier were discovered that could lead to a server
+## DP: crash or execution of unauthorized code. The exploit requires a server
+## DP: with yaSSL enabled and TCP/IP connections enabled, but does not require
+## DP: valid MySQL account credentials. The exploit does not apply to OpenSSL.
 
 @DPATCH@
 diff -Nrup a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp

More information about the Pkg-mysql-commits mailing list