From ${URL} : Description Multiple vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges, by malicious users to disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system, and by malicious people to cause a DoS (Denial of Service). 1) An unspecified error in the Data Manipulation Language sub-component can be exploited by authenticated users to cause a DoS. 2) An unspecified error in the Server Locking sub-component can be exploited by authenticated users to execute arbitrary code. 3) An unspecified error in the Information Schema sub-component can be exploited by authenticated users to execute arbitrary code. 4) An unspecified error in the Server sub-component can be exploited by authenticated users to read and manipulate some MySQL Server accessible data and cause a partial partial DOS. 5) An unspecified error in the Server Privileges sub-component can be exploited by authenticated users to read and manipulate some MySQL Server accessible data and cause a partial partial DOS. 6) An unspecified error in the Server Privileges sub-component can be exploited by authenticated users to execute arbitrary code. 7) An unspecified error in the MemCached sub-component can be exploited to cause a DoS. 8) An unspecified error in the Server Optimizer sub-component can be exploited by authenticated users to execute arbitrary code. 9) An unspecified error in the Data Manipulation Language sub-component can be exploited by authenticated users to cause a DoS. 10) An unspecified error in the Data Manipulation Language sub-component can be exploited by authenticated users to cause a DoS. 11) An unspecified error in the Information Schema sub-component can be exploited by authenticated users to cause a DoS. 12) An unspecified error in the InnoDB sub-component can be exploited by authenticated users to cause a DoS. 13) An unspecified error in the Server Optimizer sub-component can be exploited by authenticated users to cause a DoS. 14) An unspecified error in the Server Partition sub-component can be exploited by authenticated users to cause a DoS. 15) An unspecified error in the Server Replication sub-component can be exploited by authenticated users to cause a partial DoS. 16) An unspecified error in the Stored Procedure sub-component can be exploited by authenticated users to cause a DoS. 17) An unspecified error in the Data Manipulation Language sub-component can be exploited by authenticated users to cause a DoS. 18) An unspecified error in the InnoDB sub-component can be exploited by authenticated users to cause a DoS. 19) An unspecified error in the InnoDB sub-component can be exploited by authenticated users to cause a DoS. 20) An unspecified error in the Server Privileges sub-component can be exploited by authenticated users to manipulate certain MySQL Server accessible data. 21) An unspecified error in the Server Types sub-component can be exploited by authenticated users to cause a DoS. 22) An unspecified error in the Server Install sub-component can be exploited by local users to gain escalated privileges. 23) An unspecified error in the Server Locking sub-component can be exploited by authenticated users to cause a partial DoS. 24) An unspecified error in the Server Partition sub-component can be exploited by local users to cause a DoS. The vulnerabilities are reported in versions 5.1.67 and prior, 5.5.29 and prior, and 5.6.10 and prior. Solution Apply updates. Further details available to Secunia VIM customers Provided and/or discovered by It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2013 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information. Original Advisory Oracle: http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html#AppendixMSQL http://www.oracle.com/technetwork/topics/security/cpuapril2013verbose-1899563.html#MSQL @maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
CVE-2013-2395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2395): Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language, a different vulnerability than CVE-2013-1567. CVE-2013-2392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2392): Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. CVE-2013-2391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2391): Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows local users to affect confidentiality and integrity via unknown vectors related to Server Install. CVE-2013-2389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2389): Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2013-2381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2381): Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server Privileges. CVE-2013-2378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2378): Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema. CVE-2013-2376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2376): Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedure. CVE-2013-2375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2375): Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. CVE-2013-1570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1570): Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote attackers to affect availability via unknown vectors related to MemCached. CVE-2013-1567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1567): Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language, a different vulnerability than CVE-2013-2395. CVE-2013-1566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1566): Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2013-1555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1555): Unspecified vulnerability in MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Partition. CVE-2013-1552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1552): Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. CVE-2013-1548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1548): Unspecified vulnerability in Oracle MySQL 5.1.63 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Types. CVE-2013-1544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1544): Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. CVE-2013-1532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1532): Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Information Schema. CVE-2013-1531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1531): Unspecified vulnerability in Oracle MySQL 5.1.66 and earlier and 5.5.28 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Privileges. CVE-2013-1526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1526): Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication. CVE-2013-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1523): Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and 5.6.10 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Optimizer. CVE-2013-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1521): Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server Locking. CVE-2013-1512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1512): Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. CVE-2013-1511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1511): Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2013-1506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1506): Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Locking. CVE-2013-1502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1502): Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.9 and earlier allows local users to affect availability via unknown vectors related to Server Partition.
It seems MySQL 5.1.69 fixes these problems for the 5.1 branch, as well as the Geometry crash issue (CVE-2013-1861) described in bug 445602. Is there any time frame known for when, if ever, this version would appear (even masked) in Portage?
(In reply to comment #2) > It seems MySQL 5.1.69 fixes these problems for the 5.1 branch, as well as > the Geometry crash issue (CVE-2013-1861) described in bug 445602. Is there > any time frame known for when, if ever, this version would appear (even > masked) in Portage? Did Oracle release 5.1.69? I still can't find it on their web site[1]. IIRC, this isn't the first time that 5.1.69 is mentioned as having fixed an issue. [1] - http://downloads.mysql.com/archives.php?p=mysql-5.1
It appears to be available on http://dev.mysql.com/downloads/mysql/5.1.html#downloads though I have to admit to not testing this release myself. Very odd that it is missing on the other list.
5.1.70 was stabilized in bug #477474, adding to existing GLSA draft
This issue was resolved and addressed in GLSA 201308-06 at http://security.gentoo.org/glsa/glsa-201308-06.xml by GLSA coordinator Sergey Popov (pinkbyte).