[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] MySQL CVEs
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-06-19 17:50:03
Message-ID: 4FE0BBCB.9090709 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/18/2012 10:50 AM, Tomas Hoger wrote:
> Hijacking this thread a bit...
>
> On Sat, 9 Jun 2012 17:30:38 +0200 Sergei Golubchik wrote:
>
>> MySQL bug report: http://bugs.mysql.com/bug.php?id=64884 MySQL
>> fix:
>> http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
>>
>>
MySQL changelog:
>> http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
>> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
>
> In addition to 64884 / CVE-2012-2122 reported by Sergei, 5.1.63
> release notes also mention additional security fix:
>
> * Security Fix: Bug #59387 was fixed.
>
> which can be tracked to the following commit:
>
> http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16
>
> This allows non-admin mysql user to crash mysqld. The fix is also
> in 5.5.24, but it is not mentioned in 5.5.24 releases notes or
> changelog file included in the sources. 5.0.x is affected too.
> Can the CVE be assigned? I'm CCing Oracle security team
> explicitly, so they can reply with their existing assignment (if
> any), and/or are aware of the new assignment.
Please use CVE-2012-2749 for this issue.
> Additionally, 5.5.23 changes include another security fix:
>
> * Security Fix: Bug #59533 was fixed.
>
> However, I've not had much luck trying to find a commit or any
> further info for this issue. Upstream bug is private. Does anyone
> have any further info?
Please use CVE-2012-2750 for this issue. I guess this will be one of
those "Unspecified vulnerability in MySQL before 5.5.23 has unknown
impact and attack vectors, related to a "Security Fix." "
> Additionally, following bugs try to collect info on MySQL security
> fixes in the last released and an upcoming Oracle CPU:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=832477
> https://bugzilla.redhat.com/show_bug.cgi?id=832540
>
> It would be nice if Oracle could confirm the mapping between CVEs
> and particular issues to avoid any incorrect guesses.
>
> If anyone else has been looking into trying to map Oracle assigned
> CVEs to specific changes and has any info missing in the above
> bugs, feel free to comment there.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJP4LvLAAoJEBYNRVNeJnmTh7oQAJJ4iVkvl1P3kFP8cT9OTY1H
pbsqj/Ehj8Y+T5C/y7ZriEUcrHr9xJiwRQAUTlvtydRmslIAp2ptSEGkuLOJMe/C
hBqrIUtJKzJSJQC6Xa4pmcObZ11zzP39STttQr6OdC4VUsLvKKWzXc6TkXn8iQiQ
FQ8INUXM1JBUJiVBEJnVOqG5svX6WT0o1iqPgaaIoU37LJmzP8pW0fgcpHBAdSPv
hwe5ys5pcNNloJVm9yNFksJiyfJ4g0ES5PrEaFMStfUuZj+RlDFdEIvciNESwpxL
SxUl9X2+aFlEo0h7Bn4FrwvhC9pZ7HS5m6n+n6QX7LMHmsF24l022RvegyIqaE38
YBAKXVrRjw/8GiF77lyB3vOh7reC8eou7APo4tvdNmzmAC5wpAiz6+xspxAg0LNI
0D72rhskm0GnnXQ61upw0CR5COPaN37hP4x6BhtUuJMOZ6DX1CmrN3S4RaVyza01
3ohWYefrA0m1hgASHHJG9W+0OVR6b/cGzvOzsj/bVHdJXsCgTFpxB9ZwGxAF+0Qe
47Pi0Z3cmxaqd2K81YGRjk2aJYnQ6LwlPFUUIQoX4Wbq3Egau/2lM48tk5t0bMTJ
1utRHbCy+XFDCk0JFynUN3xCaQ0Im4aak7TdW8QuQhEJxJ6M7s5+xIKUFpqODgNW
pD8eTWiy5vUP1pAIwmul
=F/Oa
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic