Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 555478

Summary: <dev-db/mysql-5.{5.44,6.25}: multiple vulnerabilities (CVE-2015-{2582,2611,2617,2620,2639,2641,2643,2648,2661,4737,4752,4756,4757,4767,4769,4771,4772})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mysql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 580832    
Bug Blocks: 556432    

Description Agostino Sarubbo gentoo-dev 2015-07-20 14:04:05 UTC 
A security update of mysql described at $URL
Comment 1 Brian Evans (RETIRED) gentoo-dev 2015-07-20 18:29:10 UTC 
For the record, CVE-2015-4761 does not apply as Gentoo never has built the embedded memcached server.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-07-25 22:58:15 UTC 
CVE-2015-4772 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4772):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Partition.

CVE-2015-4771 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4771):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect availability via vectors related to
  RBR.

CVE-2015-4769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4769):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Security : Firewall, a different vulnerability than
  CVE-2015-4767.

CVE-2015-4767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4767):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Security : Firewall, a different vulnerability than
  CVE-2015-4769.

CVE-2015-4757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4757):
  Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier and
  5.6.23 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Server : Optimizer.

CVE-2015-4756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4756):
  Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : InnoDB.

CVE-2015-4752 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4752):
  Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and
  5.6.24 and earlier allows remote authenticated users to affect availability
  via vectors related to Server : I_S.

CVE-2015-4737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4737):
  Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier, and
  5.6.23 and earlier, allows remote authenticated users to affect
  confidentiality via unknown vectors related to Server : Pluggable Auth.

CVE-2015-2661 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2661):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  local users to affect availability via unknown vectors related to Client.

CVE-2015-2648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2648):
  Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and
  5.6.24 and earlier allows remote authenticated users to affect availability
  via vectors related to DML.

CVE-2015-2643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2643):
  Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and
  5.6.24 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Server : Optimizer.

CVE-2015-2641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2641):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Security : Privileges.

CVE-2015-2639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2639):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect integrity via unknown vectors related
  to Server : Security : Firewall.

CVE-2015-2620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2620):
  Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and
  5.6.23 and earlier allows remote authenticated users to affect
  confidentiality via unknown vectors related to Server : Security :
  Privileges.

CVE-2015-2617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2617):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect confidentiality, integrity, and
  availability via unknown vectors related to Partition.

CVE-2015-2611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2611):
  Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows
  remote authenticated users to affect availability via vectors related to
  DML.

CVE-2015-2582 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2582):
  Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and
  5.6.24 and earlier allows remote authenticated users to affect availability
  via vectors related to GIS.
Comment 3 Brian Evans (RETIRED) gentoo-dev 2015-08-03 15:12:13 UTC 
Though the CVEs only go up to <5.6.25  I am targeting 5.6.26 for connection issues related, but not vulnerable, to LogJam.

Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mysql-5.6.26 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

# Official test instructions:
# USE='embedded extraengine perl ssl static-libs community' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mysql-5.6.26.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-03 20:24:57 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-08-04 08:19:54 UTC 
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-05 14:20:55 UTC 
ia64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-05 21:29:32 UTC 
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2015-08-06 04:59:52 UTC 
arm stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-07 05:36:34 UTC 
Stable for HPPA PPC64.
Comment 10 Agostino Sarubbo gentoo-dev 2015-08-26 07:29:33 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-09-06 08:32:47 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Brian Evans (RETIRED) gentoo-dev 2015-11-17 21:46:17 UTC 
Cleanup was done.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 05:19:09 UTC 
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 13:45:09 UTC 
This issue was resolved and addressed in
 GLSA 201610-06 at https://security.gentoo.org/glsa/201610-06
by GLSA coordinator Aaron Bauman (b-man).