Executive Summary
| Summary | |
|---|---|
| Title | New mysql-ocaml packages provide secure escaping |
| Informations | |||
|---|---|---|---|
| Name | DSA-1910 | First vendor Publication | 2009-10-14 |
| Vendor | Debian | Last vendor Modification | 2009-10-14 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.0.4-2+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your mysql-ocaml packages. |
Original Source
| Url : http://www.debian.org/security/2009/dsa-1910 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13669 | |||
| Oval ID: | oval:org.mitre.oval:def:13669 | ||
| Title: | DSA-1910-1 mysql-ocaml -- missing escape function | ||
| Description: | It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string. This is needed, because mysql_real_escape_string honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape and takes the established database connection as a first argument. The old escape_string was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution, this problem has been fixed in version 1.0.4-4+lenny1. For the oldstable distribution, this problem has been fixed in version 1.0.4-2+etch1. For the testing distribution and the unstable distribution , this problem will be fixed soon. We recommend that you upgrade your mysql-ocaml packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1910-1 CVE-2009-2942 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | mysql-ocaml |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:7959 | |||
| Oval ID: | oval:org.mitre.oval:def:7959 | ||
| Title: | DSA-1910 mysql-ocaml -- missing escape function | ||
| Description: | It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1910 CVE-2009-2942 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | mysql-ocaml |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-11-17 | Name : Fedora Core 10 FEDORA-2009-10582 (ocaml-mysql) File : nvt/fcore_2009_10582.nasl |
| 2009-11-17 | Name : Fedora Core 11 FEDORA-2009-10701 (ocaml-mysql) File : nvt/fcore_2009_10701.nasl |
| 2009-10-19 | Name : Debian Security Advisory DSA 1910-1 (mysql-ocaml) File : nvt/deb_1910_1.nasl |
| 2009-10-19 | Name : Mandrake Security Advisory MDVSA-2009:279 (ocaml-mysql) File : nvt/mdksa_2009_279.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 59030 | mysql-ocaml for MySQL mysql_real_escape_string() Function Character Escaping ... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1910.nasl - Type : ACT_GATHER_INFO |
| 2009-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2009-10582.nasl - Type : ACT_GATHER_INFO |
| 2009-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2009-10701.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:28:55 |
|
| 2013-09-09 21:21:59 |
|
