FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mysql -- ALTER MERGE denial of service vulnerability

Affected packages
mysql-server <= 3.23.58_3
4.* <= mysql-server < 4.0.21
4.1.* <= mysql-server < 4.1.1

Details

VuXML ID 06a6b2cf-484b-11d9-813c-00065be4b5b6
Discovery 2004-01-15
Entry 2004-12-16
Modified 2005-03-15

Dean Ellis reported a denial of service vulnerability in the MySQL server:

Multiple threads ALTERing the same (or different) MERGE tables to change the UNION eventually crash the server or hang the individual threads.

Note that a script demonstrating the problem is included in the MySQL bug report. Attackers that have control of a MySQL account can easily use a modified version of that script during an attack.

References

Bugtraq ID 11357
CVE Name CVE-2004-0837
URL http://bugs.mysql.com/bug.php?id=2408
URL http://rhn.redhat.com/errata/RHSA-2004-611.html