'Re: [oss-security] CVE request, security issues fixed in MySQL 5.1.51'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request, security issues fixed in MySQL 5.1.51
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2010-10-07 20:57:14
Message-ID: Pine.GSO.4.64.1010071655550.16065 () faron ! mitre ! org
[Download RAW message or body]


Looks like there were 8 security bugs reported at 
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-51.html, not 7.

These all have different affected versions claimed, so each gets a 
separate CVE.

- Steve


Bug#55826 - incorrect propagation of type errors in evaluation of
arguments to extreme-value functions

   CVE-2010-3833
   "create table .. select crashes with when KILL_BAD_DATA is returned"
   5.0.91,5.1.49,5.1.50-bzr,5.5.5

Bug#55568 - The server could crash after materializing a derived table
that required a temporary table for grouping.

   CVE-2010-3834
   "user variable assignments crash server when used within query"
   5.0.91-debug,5.1.49-debug

Bug #55564 - A user-variable assignment expression that is evaluated
in a logical expression context can be precalculated in a temporary
table for GROUP BY. However, when the expression value is used after
creation of the temporary table, it was re-evaluated, not read from
the table and a server crash resulted.

   CVE-2010-3835
   "crash with user variables, assignments, joins..."
   5.0.92, 5.1.37, 5.1.49, 5.1.50-bzr, 5.5.6-m3

Bug#54568 - Pre-evaluation of LIKE predicates during view preparation
could cause a server crash.

   CVE-2010-3836
   "create view cause Assertion failed: 0, file .\item_subselect.cc, line 836"
   5.0.91-debug, 5.1.47-debug

Bug#54476 - GROUP_CONCAT() and WITH ROLLUP together could cause a
server crash.

   CVE-2010-3837
   "crash when group_concat and 'with rollup' in prepared statements"
   5.0.91, 5.1.47, 5.1.49-bzr, 5.5.3

   see: [23 Jul 14:25] Alexey Kopytov

Bug#54461 - Queries could cause a server crash if the GREATEST() or
LEAST() function had a mixed list of numeric and LONGBLOB arguments,
and the result of such a function was processed using an intermediate
temporary table.

   CVE-2010-3838
   "crash with longblob and union or update with subquery"
   5.0.91,5.1.47, 5.5.3, 5.5.5-m3

Bug#53544 - Queries with nested joins could cause an infinite loop in
the server when used from stored procedures and prepared statements.

   CVE-2010-3839
   "Server hangs during JOIN query in stored procedure called twice in a row"
   5.1.47, 5.6.99-m4 Dahlia, bzr_mysql-6.0-codebase-bugfixing

Bug#51875 - The PolyFromWKB() function could crash the server when
improper WKB data was passed to the function.

   CVE-2010-3840
   "crash when loading data into geometry function polyfromwkb"
   5.0.90,5.1.44

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic