[debian-mysql] Bug#526254: CVE-2008-4456: mysql client does not escape strings in --html mode
Devin Carraway
devin at debian.org
Thu Apr 30 07:21:59 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: mysql-client-5.0
Version: 5.0.51a-24
Severity: grave
Tags: security
Justification: cross-site scripting vulnerability
Upstream is tracking a security flaw in the mysql commandline client,
identified as CVE-2008-4456:
http://bugs.mysql.com/bug.php?id=27884
Quoth http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4456 :
> Cross-site scripting (XSS) vulnerability in the command-line client in MySQL
> 5.0.26 through 5.0.45, and other versions including versions later than
> 5.0.45, when the --html option is enabled, allows attackers to inject
> arbitrary web script or HTML by placing it in a database cell, which might
> be accessed by this client when composing an HTML document. NOTE: as of
> 20081031, the issue has not been fixed in MySQL 5.0.67.
If you fix the vulnerability, please note the CVE id in your changelog entry.
- --
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJ+VGXU5XKDemr/NIRAhDtAKC464xn8ikZ1HvT8d5PvXa+zyDU9ACguHG6
EGzZJiQwv8jOwIV2NA6OSuc=
=lRae
-----END PGP SIGNATURE-----
More information about the pkg-mysql-maint
mailing list