Just tried a version bump on x86 with FEATURES="userpriv test" USE="community" which seems to work nicely. ------------------------------------------------------------ The servers were restarted 241 times Spent 532.568 of 1137 seconds executing testcases Completed: All 588 tests were successful.
Security Fix: The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST. In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system. Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848) Security Fix: The server was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code. (Bug#53237, CVE-2010-1850) Security Fix: The server could be tricked into reading packets indefinitely if it received a packet larger than the maximum size of one packet. (Bug#50974, CVE-2010-1849)
please assign security bug to the security team
CVE-2010-1848 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848): Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name. CVE-2010-1849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849): The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length. CVE-2010-1850 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850): Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name.
mysql Team, please provide an updated ebuild
CVE-2010-1621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621): The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command. CVE-2010-1626 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626): MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
mysql team, are there plans to stabilize the 5.1 series? It seems rather difficult to fix all these vulnerabilities (and probably future ones too) in the 5.0 series unless upstream took care of that.
presently blocking on breakage that was introduced by upstream. Specifically the Archive engine (USE=extraengine but very popular) seems to be badly broken, but I haven't managed to trace WHY yet, primarily due to a shortage of time.
MySQL 5.1.49 was released on July 23th (http://forums.mysql.com/read.php?3,377551,377551#msg-377551). When can we expect a newer than 5.1.46 version in the tree...?
CVE-2010-2008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008): MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
5.1.49 added to overlay, testing it now. http://git.overlays.gentoo.org/gitweb/?p=proj/mysql.git;a=commit;h=11aa801ac65212e678ed8da7715c56a39bd5077b Hopefully it passes the tests where 5.1.48 failed.
5.1.49 in the tree now. security: your bug again.
*** Bug 335331 has been marked as a duplicate of this bug. ***
(In reply to comment #12) > *** Bug 335331 has been marked as a duplicate of this bug. *** > There were some additional DoS vulnerabilities reported and fixed in 5.1.49. The duped bug has a list, we'll add the CVE ids to that bug later on. Asked robbat for specific stabilization target. stablereq coming soon
Arches, please test and mark stable: =dev-db/mysql-5.1.50 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 done
x86 stable
dev-db/mysql-5.1.50 has open bugs (#334009 and #334013 at least)
(In reply to comment #17) > dev-db/mysql-5.1.50 has open bugs (#334009 and #334013 at least) Fixed already. security: Can we update the target to -r1 please?
Arches, please test and mark stable: =dev-db/mysql-5.1.50-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
How about adding a nice revdep-rebuild note in the ebuilds? Upgrading from 5.0.* to 5.1.* broke DBD-mysql, apr-util and php for me. I'm pretty sure it breaks more than that.
might not hurt to send out a news item on mysql upgrades like this - if you use innodb the upgrade cannot be performed automatically.
Stable for HPPA.
Stable on alpha.
ppc done
(In reply to comment #13) > (In reply to comment #12) > > *** Bug 335331 has been marked as a duplicate of this bug. *** > > > > There were some additional DoS vulnerabilities reported and fixed in 5.1.49. > The duped bug has a list, we'll add the CVE ids to that bug later on. > The CVEs for the issues in bug 335331 have been assigned: > 1, Security Fix: After changing the values of the innodb_file_format or > innodb_file_per_table configuration parameters, DDL statements > could cause a server crash. (Bug#55039) > References: http://bugs.mysql.com/bug.php?id=55039 > https://bugzilla.redhat.com/show_bug.cgi?id=628660 > Reason: Assertion failure leading to server abort. CVE-2010-3676 > 2, Security Fix: Joins involving a table with a unique SET column could cause > a server crash. (Bug#54575) > References: http://bugs.mysql.com/bug.php?id=54575 > https://bugzilla.redhat.com/show_bug.cgi?id=628040 > Reason: NULL pointer dereference leading to (temporary) server DoS. CVE-2010-3677 > 3, Security Fix: Incorrect handling of NULL arguments could lead to a crash > for IN() or CASE operations when NULL arguments were either > passed explicitly as arguments (for IN()) or implicitly > generated by the WITH ROLLUP modifier (for IN() and CASE). > (Bug#54477) > References: http://bugs.mysql.com/bug.php?id=54477 > https://bugzilla.redhat.com/show_bug.cgi?id=628172 > Reason: NULL pointer dereference leading to (temporary) server DoS. CVE-2010-3678 > 4, Security Fix: A malformed argument to the BINLOG statement could result > in Valgrind warnings or a server crash. (Bug#54393) > References: http://bugs.mysql.com/bug.php?id=54393 > https://bugzilla.redhat.com/show_bug.cgi?id=628062 > Reason: Use of unassigned memory leading to (temporary) server DoS (crash). CVE-2010-3679 > 5, Security Fix: Use of TEMPORARY InnoDB tables with nullable columns could cause > a server crash. (Bug#54044) > References: http://bugs.mysql.com/bug.php?id=54044 > https://bugzilla.redhat.com/show_bug.cgi?id=628192 > Reason: Assertion failure leading to server abort. CVE-2010-3680 > 6, Security Fix: The server could crash if there were alternate reads from > two indexes on a table using the HANDLER interface. (Bug#54007) > References: http://bugs.mysql.com/bug.php?id=54007 > https://bugzilla.redhat.com/show_bug.cgi?id=628680 > Reason: Assertion failure leading to server abort. CVE-2010-3681 > 7, Security Fix: Using EXPLAIN with queries of the form SELECT ... UNION > ... ORDER BY (SELECT ... WHERE ...) could cause a server > crash. (Bug#52711) > References: http://bugs.mysql.com/bug.php?id=52711 > https://bugzilla.redhat.com/show_bug.cgi?id=628328 > Reason: NULL pointer dereference leading to (temporary) server DoS. CVE-2010-3682 > 8, Security Fix: LOAD DATA INFILE did not check for SQL errors and sent an > OK packet even when errors were already reported. Also, an > assert related to client-server protocol checking in debug > servers sometimes was raised when it should not have been. > (Bug#52512) > References: http://bugs.mysql.com/bug.php?id=52512 > https://bugzilla.redhat.com/show_bug.cgi?id=628698 > Reason: Assertion failure leading to server abort. CVE-2010-3683
ppc64 done
waiting for a toolchain response on bug 335995 to see if we need to expand the drop of omit-frame-pointer on x86, then we're clear for stabilization.
arm stable
ia64/s390/sh/sparc stable
GLSA with other MySQL bugs like 237166.
CVE-2010-3683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683): Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 sends an OK packet when a LOAD DATA INFILE request generates SQL errors, which allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a crafted request. CVE-2010-3682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682): Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function. CVE-2010-3681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681): Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using the HANDLER interface and performing "alternate reads from two indexes on a table," which triggers an assertion failure. CVE-2010-3680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680): Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by creating temporary tables with nullable columns while using InnoDB, which triggers an assertion failure. CVE-2010-3679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679): Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via certain arguments to the BINLOG command, which triggers an access of uninitialized memory, as demonstrated by valgrind. CVE-2010-3678 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678): Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (crash) via (1) IN or (2) CASE operations with NULL arguments that are explicitly specified or indirectly provided by the WITH ROLLUP modifier. CVE-2010-3677 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677): Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column. CVE-2010-3676 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676): storage/innobase/dict/dict0crea.c in mysqld in Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to cause a denial of service (assertion failure) by modifying the (1) innodb_file_format or (2) innodb_file_per_table configuration parameters for the InnoDB storage engine, then executing a DDL statement.
This issue was resolved and addressed in GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml by GLSA coordinator Tim Sammut (underling).
CVE-2009-5026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5026): The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom comments.
