[debian-mysql] Fw: Bug#451235: CVE-2007-5925 Denial of Service vulnerability in innodb via crafted query
Moritz Muehlenhoff
jmm at inutil.org
Wed Nov 14 15:55:40 UTC 2007
On Wed, Nov 14, 2007 at 10:30:42AM -0500, Noah Meyerhans wrote:
> On Wed, Nov 14, 2007 at 02:55:32PM +0100, Christian Hammers wrote:
> >
> > I've send you the diffs for a MySQL security upload last week. Please hold it
> > back a few more days so that we can check the below vulnerability and give
> > you an updated version.
>
> Is this going to affect all three of the supported versions? It sounds
> like it, but I want to clarify. The previous version is finally almost
> ready, after being delayed do to the problems with ries. I want to make
> sure to reject only those builds that we're not going to use...
I don't know MySQL, so I'm asking very naively whether this
issue warrant to re-roll the update?
(Since it took quite some time to collect all the builds)
CVE-2007-5925[0]:
| The convert_search_mode_to_innobase function in ha_innodb.cc in the
| InnoDB engine in MySQL 5.1.23-BK and earlier allows remote
| authenticated users to cause a denial of service (database crash) via
| a certain CONTAINS operation on an indexed column, which triggers an
| assertion error.
Can this realistically be triggered through a webapp? Does it crash the
entire database server or a single delivery process? If it's more or less
harmless it could be postponed to a later MySQL DSA instead.
Cheers,
Moritz
More information about the pkg-mysql-maint
mailing list