Summary: | <dev-db/mysql-{5.5.59,5.6.39}: Multiple Vulnerabilities (CVE-2018-{2562,2622,2640,2665,2668}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Attila Tóth <atoth> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hydrapolic, mysql-bugs |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
dev-db/mysql-5.6.39
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 634652 |
Description
Attila Tóth
2018-01-18 22:00:12 UTC
5.6.38 seems to be OK, 5.7 is not in the tree. 5.5.58 might worth a bump for whoever it may concern, because its keyworded and 5.6.38 is already stable for many architectures... The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c17b1113e3a9e123ab6d0c1d6e39f78aa696e6a commit 8c17b1113e3a9e123ab6d0c1d6e39f78aa696e6a Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2018-01-19 02:33:00 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2018-01-19 02:33:00 +0000 dev-db/mysql: Version bump for 5.6.39 Bug: https://bugs.gentoo.org/644986 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-db/mysql/Manifest | 1 + dev-db/mysql/mysql-5.6.39.ebuild | 192 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 193 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cc2f5ec99aed048bcfe488dfcbc894904058d61 commit 6cc2f5ec99aed048bcfe488dfcbc894904058d61 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2018-01-19 02:08:09 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2018-01-19 02:08:09 +0000 dev-db/mysql: Version bump for 5.5.59 Bug: https://bugs.gentoo.org/644986 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-db/mysql/Manifest | 1 + dev-db/mysql/mysql-5.5.59.ebuild | 133 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 134 insertions(+)} CVE-2018-2668 (https://nvd.nist.gov/vuln/detail/CVE-2018-2668): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2665 (https://nvd.nist.gov/vuln/detail/CVE-2018-2665): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2640 (https://nvd.nist.gov/vuln/detail/CVE-2018-2640): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2622 (https://nvd.nist.gov/vuln/detail/CVE-2018-2622): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2562 (https://nvd.nist.gov/vuln/detail/CVE-2018-2562): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Partition). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). @ Attila: Thanks for the report but please don't set versions in summary next time.
> 5.6.38 seems to be OK
No, it is not. 5.6.38 is vulnerable.
(In reply to Thomas Deutschmann from comment #4) > @ Attila: Thanks for the report but please don't set versions in summary > next time. > > > 5.6.38 seems to be OK > No, it is not. 5.6.38 is vulnerable. Sorry: the source I was citing was wrong and I would have to double check the versions. Next time I will be more careful. CVE-2018-2703 (https://nvd.nist.gov/vuln/detail/CVE-2018-2703): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2696 (https://nvd.nist.gov/vuln/detail/CVE-2018-2696): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2647 (https://nvd.nist.gov/vuln/detail/CVE-2018-2647): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2018-2645 (https://nvd.nist.gov/vuln/detail/CVE-2018-2645): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). CVE-2018-2612 (https://nvd.nist.gov/vuln/detail/CVE-2018-2612): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H). CVE-2018-2591 (https://nvd.nist.gov/vuln/detail/CVE-2018-2591): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Partition). Supported versions that are affected are 5.6.38 and prior and 5.7.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2590 (https://nvd.nist.gov/vuln/detail/CVE-2018-2590): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2018-2583 (https://nvd.nist.gov/vuln/detail/CVE-2018-2583): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Stored Procedure). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H). CVE-2018-2573 (https://nvd.nist.gov/vuln/detail/CVE-2018-2573): Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: GIS). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). @ Arches, please test and mark stable. The test suite should pass following the official instructions. Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances) Target keywords: =dev-db/mysql-5.6.39 alpha amd64 arm hppa ia64 ppc ppc64 x86 # Official test instructions: # USE='embedded extraengine perl server openssl static-libs' \ # FEATURES='test userpriv -usersandbox' \ # ebuild mysql-5.6.39.ebuild \ # clean package # Parallel testing is enabled, auto will try to detect number of cores # You may set this by hand. # The default maximum is 8 unless MTR_MAX_PARALLEL is increased export MTR_PARALLEL="${MTR_PARALLEL:-auto}" amd64 stable ia64 stable arm stable Seems like a newly released Mariadb is also affected by some of those CVEs. https://mariadb.com/kb/en/library/mariadb-10131-release-notes/ x86 stable Added to an existing GLSA. This issue was resolved and addressed in GLSA 201802-04 at https://security.gentoo.org/glsa/201802-04 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures. Stable on alpha. ppc64 stable @Arches, Stabilization will probably be finished in bug 655182. tree is clean |