Summary: | <dev-db/mysql-5.5.40 - <dev-db/mariadb-5.5.40-r1: multiple vulnerabilities (CVE-2014-{6464,6469,6491,6494,6496,6500,6507,6555,6559}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | mysql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 525644 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-10-15 16:02:07 UTC
dev-db/mysql-5.5.40 and dev-db/mariadb-5.5.40 are already in the tree and should be good to go stable dev-db/mariadb still merges from Oracle's tree in the 5.5 series Older 5.6 series dev-db/mysql have been purged from the tree Arches, please test and mark stable: =dev-db/mysql-5.5.40 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Arches, please test and mark stable: =dev-db/mariadb-5.5.40 Target keywords : "alpha amd64 hppa x86" amd64 and x86 stable Both stable on alpha. Stable for HPPA. ppc stable ppc64 stable There is an include header issue with dev-db/mariadb-5.5.40 working on a patch now and will notify when it is revbumped with a patch dev-db/mariadb-5.5.40-r1 added and arches imported from previous stabled Any further arches should target this revision instead Reasoning for direct to stable was the simple patch added and recommended by upstream: diff -aurN mysql.orig/config.h.cmake mysql/config.h.cmake --- mysql.orig/config.h.cmake 2014-10-08 09:19:51.000000000 -0400 +++ mysql/config.h.cmake 2014-10-17 09:51:33.617709631 -0400 @@ -650,7 +650,7 @@ __GLIBC__ is defined in <features.h> */ -#ifdef __GLIBC__ +#if 0 #error <my_config.h> MUST be included first! #endif Remove x86 from cc since it was stabled already ia64 stable sparc stable arm stable, all arches done. A new GLSA request has been created for this issue. CVE-2014-6559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6559): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING. CVE-2014-6555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6555): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. CVE-2014-6507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6507): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. CVE-2014-6500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6500): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491. CVE-2014-6496 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6496): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6494. CVE-2014-6494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6494): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496. CVE-2014-6491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6491): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500. CVE-2014-6469 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6469): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and eariler and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER. CVE-2014-6464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6464): Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS. (In reply to Markus Meier from comment #13) > arm stable, all arches done. dev-db/mysql-5.5.40 still shows ~arm in CVS. was this a mistake? arm stable, all arches done. This issue was resolved and addressed in GLSA 201411-02 at http://security.gentoo.org/glsa/glsa-201411-02.xml by GLSA coordinator Sean Amoss (ackle). |