1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200608-09 / mysql |
| Release Date | August 06, 2006 |
| Latest Revision | August 07, 2006: 02 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| dev-db/mysql | < 4.1.21 | >= 4.1.21, < 4.1.0 | All supported architectures |
Related bugreports: #142429
An authenticated user can crash MySQL through invalid parameters to the date_format function.
MySQL is a popular multi-threaded, multi-user SQL server.
Jean-David Maillefer discovered a format string vulnerability in time.cc where MySQL fails to properly handle specially formatted user input to the date_format function.
By specifying a format string as the first parameter to the date_format function, an authenticated attacker could cause MySQL to crash, resulting in a Denial of Service.
There is no known workaround at this time.
All MySQL users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --verbose --oneshot ">=dev-db/mysql-4.1.21" |