Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498164 (CVE-2013-5860) - <dev-db/mysql-5.5.37 : Multiple Vulnerabilities (CVE-2013-{5860,5881,5882,5891,5894,5908},CVE-2014-{0386,0393,0401,0402,0412,0420,0427,0430,0431,0433,0437})
Summary: <dev-db/mysql-5.5.37 : Multiple Vulnerabilities (CVE-2013-{5860,5881,5882,589...
Status: RESOLVED FIXED
Alias: CVE-2013-5860
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/56491/
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-15 13:31 UTC by Agostino Sarubbo
Modified: 2014-09-04 08:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-15 13:31:21 UTC
From ${URL} :

Description

Multiple vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious 
users to manipulate certain data and cause a DoS (Denial of Service) and by malicious people to 
cause a DoS.

1) An error within the GIS subcomponent can be exploited to cause a crash.

2) An error within the Stored Procedure subcomponent can be exploited to cause a crash.

3) An error within the Thread Pooling subcomponent can be exploited to cause a crash.

4) An error within the InnoDB subcomponent can be exploited to cause a crash.

5) An error within the InnoDB subcomponent can be exploited to cause a crash.

6) An error within the InnoDB subcomponent can be exploited to cause a crash.

7) An error within the Locking subcomponent can be exploited to cause a crash.

8) An error within the Optimizer subcomponent can be exploited to cause a crash.

9) An error within the Partition subcomponent can be exploited to cause a crash.

10) An error within the Privileges subcomponent can be exploited to cause a crash.

11) An error within the FTS subcomponent can be exploited to cause a crash.

12) An error within the InnoDB subcomponent can be exploited to cause a crash.

13) An error within the Optimizer subcomponent can be exploited to cause a crash.

14) An error within the InnoDB subcomponent can be exploited to update, insert, or delete certain 
data.

15) An error within the Performance Schema subcomponent can be exploited to cause a crash.

16) An error within the Replication subcomponent can be exploited to cause a crash.

17) An error within the Error Handling subcomponent can be exploited to cause a crash.

Please see the vendor's advisories for a list of affected versions.


Solution:
Apply updates (please see the vendor's advisory for details).

Further details available to Secunia VIM customers

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for 
January 2014 only provides a bundled list of credits. This section will be updated when/if the 
original reporters provide more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixMSQL
http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html#MSQL


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-01-16 14:14:12 UTC
Going through all the CVE's here are affected versions:
< 5.6.14
< 5.5.34
< 5.1.72
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-01-24 14:32:10 UTC
CVE-2014-0437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0437):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote
  authenticated users to affect availability via unknown vectors related to
  Optimizer.

CVE-2014-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0433):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.13 and earlier allows remote attackers to affect availability via
  unknown vectors related to Thread Pooling.

CVE-2014-0431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0431):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.14 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to InnoDB, a different vulnerability than
  CVE-2013-5881.

CVE-2014-0430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0430):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.13 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Performance Schema.

CVE-2014-0427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0427):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.13 and earlier allows remote authenticated users to affect availability
  via vectors related to FTS.

CVE-2014-0420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0420):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated
  users to affect availability via unknown vectors related to Replication.

CVE-2014-0412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0412):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote
  authenticated users to affect availability via unknown vectors related to
  InnoDB.

CVE-2014-0402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0402):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote
  authenticated users to affect availability via unknown vectors related to
  Locking.

CVE-2014-0401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0401):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote
  authenticated users to affect availability via unknown vectors.

CVE-2014-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0393):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote
  authenticated users to affect integrity via unknown vectors related to
  InnoDB.

CVE-2014-0386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0386):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote
  authenticated users to affect availability via unknown vectors related to
  Optimizer.

CVE-2013-5908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5908):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote
  attackers to affect availability via unknown vectors related to Error
  Handling.

CVE-2013-5894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5894):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.13 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to InnoDB.

CVE-2013-5891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5891):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users
  to affect availability via unknown vectors related to Partition.

CVE-2013-5882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5882):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.13 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Stored Procedures.

CVE-2013-5881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5881):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.14 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to InnoDB, a different vulnerability than
  CVE-2014-0431.

CVE-2013-5860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5860):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.14 and earlier allows remote authenticated users to affect availability
  via vectors related to GIS.
Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-04-25 00:50:48 UTC
I've pushed mysql-5.5.37 into the tree.
We're going to take care of this stabilization as this is the first 5.5 release we're going to mark stable.
Comment 4 Sergey Popov gentoo-dev 2014-09-04 07:20:24 UTC
Thanks for your work, guys. Added to existing GLSA request
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-09-04 08:48:30 UTC
This issue was resolved and addressed in
 GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).