Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 518718

Summary: <dev-db/mysql-5.5.39: Multiple Vulnerabilities (CVE-2014-{2494,4207,4243,4258,4260,4274,4287,6463,6474,6478,6484,6489,6495,6505,6520,6530,6551,6564})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexander, axiator, bertrand, cyberbat83, mysql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/60599/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-08-01 07:29:50 UTC 
From ${URL} :

Description

A security issue and two vulnerabilities have been reported in MySQL, where one has an unknown impact and others can be exploited by malicious, local users to potentially gain escalated privileges and by malicious people to disclose potentially sensitive 
information and manipulate certain data.

This security issue is reported in the commercial MySQL version prior to 5.6.20.

2) An error when handling MyISAM temporary files can be exploited to execute arbitrary code.

3) An off-by-one error related to certificate decoding in yaSSL can be exploited to cause a buffer overflow.

The vulnerabilities #2 and #3 are reported in versions prior to 5.5.39 and prior to 5.6.20.


Solution:
Update to version 5.5.39 or 5.6.20.

Provided and/or discovered by:
2, 3) Reported by the vendor.

Original Advisory:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-20.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2014-08-02 01:18:41 UTC 
dev-db/mysql ebuilds updated in tree.

MySQL team wishes to stable 5.5.39 but we want to wait for dev-db/mariadb-5.5.39 to appear to stable all together.  This is usually in a few days.
Comment 2 Brian Evans (RETIRED) gentoo-dev 2014-08-05 17:50:54 UTC 
Arches, please test and mark stable.

Target keywords:

=dev-db/mysql-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=virtual/mysql-5.5 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Deps on certain arches:
@alpha: dev-libs/jemalloc needs completed wrt bug 512330
@ppc,ppc64: dev-util/systemtap needs completed wrt bug 512328

Test instructions for dev-db/mysql and dev-db/mariadb:

# Official test instructions:
# USE='-cluster embedded extraengine perl ssl static-libs community' \
# FEATURES='test userpriv -usersandbox' \
# ebuild ${PN}-X.X.XX.ebuild \
# digest clean package
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-06 21:26:04 UTC 
(In reply to Brian Evans from comment #2)
> Arches, please test and mark stable.
> =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

mariadb is stable for no architecture and unkeyworded for many of the ones you list, so this stable request should not include it.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-06 21:59:45 UTC 
(In reply to Jeroen Roovers from comment #3)
> (In reply to Brian Evans from comment #2)
> > Arches, please test and mark stable.
> > =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> 
> mariadb is stable for no architecture and unkeyworded for many of the ones
> you list, so this stable request should not include it.

+1 here. In my opinion we should not stabilize mariadb here.
Comment 5 Brian Evans (RETIRED) gentoo-dev 2014-08-06 22:36:45 UTC 
(In reply to Jeroen Roovers from comment #3)
> (In reply to Brian Evans from comment #2)
> > Arches, please test and mark stable.
> > =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> 
> mariadb is stable for no architecture and unkeyworded for many of the ones
> you list, so this stable request should not include it.

While hppa has passed on this in the past, the rest have the keyword.

MariaDB 5.5.39 includes a merge from MySQL 5.5.39.

https://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4261
shows this merge which includes fixes to yaSSL and one patch to MyISAM.

MySQL team wishes MariaDB to be the default implementation for new installs through virtual/mysql and would like this stabled.

I'll take this to the other security bug if that is more appropriate.
Comment 6 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2014-08-07 00:30:55 UTC 
(In reply to Mikle Kolyada from comment #4)
> (In reply to Jeroen Roovers from comment #3)
> > (In reply to Brian Evans from comment #2)
> > > Arches, please test and mark stable.
> > > =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> > 
> > mariadb is stable for no architecture and unkeyworded for many of the ones
> > you list, so this stable request should not include it.
> 
> +1 here. In my opinion we should not stabilize mariadb here.

While that might be true, mariadb-5.1* had stable keywords and is also affected by some of the security issues that affect mysql-5.1*.
The mysql team wants to get both stable and is defaulting on mariadb for the 5.5 series. If you don't want to deal with this in a security bug, we can always take care of the stabilization in the 5.5 bug and have this bug depend on that.
Comment 7 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2014-08-07 00:32:50 UTC 
(In reply to Jorge Manuel B. S. Vicetto from comment #6)
> While that might be true, mariadb-5.1* had stable keywords and is also
> affected by some of the security issues that affect mysql-5.1*.

I meant mysql-5.5 above. Most of the security issues that affect the mysql releases since the last mysql-5.1* stable version, also affect mariadb.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-07 10:38:16 UTC 
(In reply to Jorge Manuel B. S. Vicetto from comment #7)
> I meant mysql-5.5 above. Most of the security issues that affect the mysql
> releases since the last mysql-5.1* stable version, also affect mariadb.

Packages with no stable keywords never get stabilisation requests for security bugs.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-07 10:40:09 UTC 
Stable for HPPA.
Comment 10 Brian Evans (RETIRED) gentoo-dev 2014-08-07 16:21:44 UTC 
dev-db/mariadb stable moved to bug 474800
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-08 13:09:16 UTC 
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-08 13:09:27 UTC 
x86 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2014-08-08 13:50:41 UTC 
All three stable on alpha.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-08-08 14:40:44 UTC 
Just to be clear as part of this bug the Stable is for:

=dev-db/mysql-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=virtual/mysql-5.5 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Bug # 474800 (NON Security) is for:
=dev-db/mariadb-5.5.39
Comment 15 Agostino Sarubbo gentoo-dev 2014-08-08 21:36:07 UTC 
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:22 UTC 
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-08-10 09:14:29 UTC 
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-08-10 17:27:24 UTC 
sparc stable
Comment 19 Markus Meier gentoo-dev 2014-08-13 15:26:22 UTC 
arm stable, all arches done.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2014-08-16 21:47:05 UTC 
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).
Comment 21 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-08-18 23:13:32 UTC 
(In reply to Yury German from comment #20)
> Arches, Thank you for your work
> Maintainer(s), please drop the vulnerable version(s).
No.

Please read the mysql news item RFC on -dev, we'll be keeping the old version around for migration purposes for some time.
Comment 22 Sergey Popov (RETIRED) gentoo-dev 2014-08-19 08:00:29 UTC 
(In reply to Robin Johnson from comment #21)
> (In reply to Yury German from comment #20)
> > Arches, Thank you for your work
> > Maintainer(s), please drop the vulnerable version(s).
> No.
> 
> Please read the mysql news item RFC on -dev, we'll be keeping the old
> version around for migration purposes for some time.

Then, please hard-mask it with apropriate comment. That will make both maintainers and security guys happy ;-)
Comment 23 Sergey Popov (RETIRED) gentoo-dev 2014-09-04 07:25:10 UTC 
Thanks for your work guys, added to existing GLSA request.

Vulnerable versions of dev-db/mysql and dev-db/mariadb are masked
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-09-04 08:48:53 UTC 
This issue was resolved and addressed in
 GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2014-10-22 23:30:23 UTC 
CVE-2014-6564 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6564):
  Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows
  remote authenticated users to affect availability via vectors related to
  SERVER:INNODB FULLTEXT SEARCH DML.

CVE-2014-6551 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6551):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows local users to affect confidentiality via vectors
  related to CLIENT:MYSQLADMIN.

CVE-2014-6530 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6530):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote authenticated users to affect
  confidentiality, integrity, and availability via vectors related to
  CLIENT:MYSQLDUMP.

CVE-2014-6520 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6520):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier allows
  remote authenticated users to affect availability via vectors related to
  SERVER:DDL.

CVE-2014-6505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6505):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote authenticated users to affect availability
  via vectors related to SERVER:MEMORY STORAGE ENGINE.

CVE-2014-6495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6495):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote attackers to affect availability via
  vectors related to SERVER:SSL:yaSSL.

CVE-2014-6489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6489):
  Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows
  remote authenticated users to affect integrity and availability via vectors
  related to SERVER:SP.

CVE-2014-6484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6484):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote authenticated users to affect availability
  via vectors related to SERVER:DML.

CVE-2014-6478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6478):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote attackers to affect integrity via vectors
  related to SERVER:SSL:yaSSL.

CVE-2014-6474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6474):
  Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows
  remote authenticated users to affect availability via vectors related to
  SERVER:MEMCACHED.

CVE-2014-6463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6463):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows remote authenticated users to affect availability
  via vectors related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML.

CVE-2014-4287 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4287):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows remote authenticated users to affect availability
  via vectors related to SERVER:CHARACTER SETS.

CVE-2014-4274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4274):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows local users to affect confidentiality, integrity,
  and availability via vectors related to SERVER:MyISAM.

CVE-2014-4260 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4260):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated
  users to affect integrity and availability via vectors related to SRCHAR.

CVE-2014-4258 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4258):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users
  to affect confidentiality, integrity, and availability via vectors related
  to SRINFOSC.

CVE-2014-4243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4243):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users
  to affect availability via vectors related to ENFED.

CVE-2014-4207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4207):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier allows remote authenticated users to affect availability
  via vectors related to SROPTZR.

CVE-2014-2494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2494):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier allows remote authenticated users to affect availability
  via vectors related to ENARC.