-----BEGIN PGP SIGNED MESSAGE-----


______________________________________________________________________________
                   Caldera Systems, Inc.  Security Advisory

Subject:                MySQL remote access vulnerability
Advisory number:        CSSA-2000-003.0
Issue date:             2000 February, 14
Cross reference:
______________________________________________________________________________


1. Problem Description

   A vulnerability in the authentication function of MySQL has been
   discovered.  Any user on a machine that is allowed to connect to
   the MySQL server and who knows a valid username for the MySQL
   server can skip password authentication.
 
2. Vulnerable Versions

   Systems : OpenLinux eServer 2.3
   Packages: previous to mysql-3.22.32-1S

   OpenLinux Desktop 2.3 is not affected.

3. Solution

   The proper solution is to upgrade to the latest packages

        rpm -F mysql-devel-3.22.32-1S.i386.rpm
        rpm -F mysql-bench-3.22.32-1S.i386.rpm
        rpm -F --force mysql-client-3.22.32-1S.i386.rpm
        rpm -F mysql-3.22.32-1S.i386.rpm

4. Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.calderasystems.com/pub/eServer/updates/2.3/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.calderaystems.com/pub/eServer/updates/2.3/current/SRPMS


5. Installing Fixed Packages

   Upgrade the affected packages with the following commands:

        rpm -F mysql-devel-3.22.32-1S.i386.rpm
        rpm -F mysql-bench-3.22.32-1S.i386.rpm
        rpm -F --force mysql-client-3.22.32-1S.i386.rpm
        rpm -F mysql-3.22.32-1S.i386.rpm
        
6. Verification

   4f0319e027d3f402eebbd90f6ae66762  RPMS/mysql-3.22.32-1S.i386.rpm
   ca5f5a3c1102370d0a23a1eea1cef969  RPMS/mysql-bench-3.22.32-1S.i386.rpm
   755340507399a63df33a96786f907d14  RPMS/mysql-client-3.22.32-1S.i386.rpm
   18fd772e2430c0f5ab0e8632559ee2a0  RPMS/mysql-devel-3.22.32-1S.i386.rpm
   f2d08e08b92348c8427a89ab8800b395  SRPMS/mysql-3.22.32-1S.src.rpm
7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

8. Disclaimer
   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBOKhigun+9R4958LpAQFuHgQAud3+RF1IHkvC32nkm4YUpyNXavX6uXDa
QErO3icgYNPea4H2ylfzLoNdYEF+tbXHHDM9ykAUc5FW07ar21UnXvbXoazflZ76
9m61z8i8nCenxHKfnnIC66Fbc2uB6oT7eyg4h9SV2tjbcuXJTi/Xdq057D4KUyfL
gGln12NR/tI=
=zOU7
-----END PGP SIGNATURE-----