[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] MySQL CVEs
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-06-19 17:50:03
Message-ID: 4FE0BBCB.9090709 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/18/2012 10:50 AM, Tomas Hoger wrote:
> Hijacking this thread a bit...
> 
> On Sat, 9 Jun 2012 17:30:38 +0200 Sergei Golubchik wrote:
> 
>> MySQL bug report: http://bugs.mysql.com/bug.php?id=64884 MySQL
>> fix: 
>> http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
>>
>> 
MySQL changelog:
>> http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html 
>> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
> 
> In addition to 64884 / CVE-2012-2122 reported by Sergei, 5.1.63
> release notes also mention additional security fix:
> 
> * Security Fix: Bug #59387 was fixed.
> 
> which can be tracked to the following commit:
> 
> http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16
>
>  This allows non-admin mysql user to crash mysqld.  The fix is also
> in 5.5.24, but it is not mentioned in 5.5.24 releases notes or
> changelog file included in the sources.  5.0.x is affected too.
> Can the CVE be assigned?  I'm CCing Oracle security team
> explicitly, so they can reply with their existing assignment (if
> any), and/or are aware of the new assignment.

Please use CVE-2012-2749 for this issue.

> Additionally, 5.5.23 changes include another security fix:
> 
> * Security Fix: Bug #59533 was fixed.
> 
> However, I've not had much luck trying to find a commit or any
> further info for this issue.  Upstream bug is private.  Does anyone
> have any further info?

Please use CVE-2012-2750 for this issue. I guess this will be one of
those "Unspecified vulnerability in MySQL before 5.5.23 has unknown
impact and attack vectors, related to a "Security Fix." "

> Additionally, following bugs try to collect info on MySQL security 
> fixes in the last released and an upcoming Oracle CPU:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=832477 
> https://bugzilla.redhat.com/show_bug.cgi?id=832540
> 
> It would be nice if Oracle could confirm the mapping between CVEs
> and particular issues to avoid any incorrect guesses.
> 
> If anyone else has been looking into trying to map Oracle assigned
> CVEs to specific changes and has any info missing in the above
> bugs, feel free to comment there.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP4LvLAAoJEBYNRVNeJnmTh7oQAJJ4iVkvl1P3kFP8cT9OTY1H
pbsqj/Ehj8Y+T5C/y7ZriEUcrHr9xJiwRQAUTlvtydRmslIAp2ptSEGkuLOJMe/C
hBqrIUtJKzJSJQC6Xa4pmcObZ11zzP39STttQr6OdC4VUsLvKKWzXc6TkXn8iQiQ
FQ8INUXM1JBUJiVBEJnVOqG5svX6WT0o1iqPgaaIoU37LJmzP8pW0fgcpHBAdSPv
hwe5ys5pcNNloJVm9yNFksJiyfJ4g0ES5PrEaFMStfUuZj+RlDFdEIvciNESwpxL
SxUl9X2+aFlEo0h7Bn4FrwvhC9pZ7HS5m6n+n6QX7LMHmsF24l022RvegyIqaE38
YBAKXVrRjw/8GiF77lyB3vOh7reC8eou7APo4tvdNmzmAC5wpAiz6+xspxAg0LNI
0D72rhskm0GnnXQ61upw0CR5COPaN37hP4x6BhtUuJMOZ6DX1CmrN3S4RaVyza01
3ohWYefrA0m1hgASHHJG9W+0OVR6b/cGzvOzsj/bVHdJXsCgTFpxB9ZwGxAF+0Qe
47Pi0Z3cmxaqd2K81YGRjk2aJYnQ6LwlPFUUIQoX4Wbq3Egau/2lM48tk5t0bMTJ
1utRHbCy+XFDCk0JFynUN3xCaQ0Im4aak7TdW8QuQhEJxJ6M7s5+xIKUFpqODgNW
pD8eTWiy5vUP1pAIwmul
=F/Oa
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]