488212 – (CVE-2013-2134) <dev-db/mysql-5.5.39 : Multiple vulnerabilities (CVE-2013-{3839,5767,5770,5786,5793,5807})

Bug 488212 (CVE-2013-2134) - <dev-db/mysql-5.5.39 : Multiple vulnerabilities (CVE-2013-{3839,5767,5770,5786,5793,5807})

Summary: <dev-db/mysql-5.5.39 : Multiple vulnerabilities (CVE-2013-{3839,5767,5770,578...

Status:	RESOLVED FIXED

Alias:	CVE-2013-2134

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/55327/
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-10-16 11:05 UTC by Agostino Sarubbo
Modified:	2014-09-04 08:48 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-10-16 11:05:43 UTC

Description

Some vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious users to disclose sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by malicious people to conduct spoofing attacks and bypass certain security restrictions.

1) Some vulnerabilities are caused due to a bundled vulnerable version of Apache Struts within the MySQL Enterprise Monitor component.

For more information:
SA53693
SA54118

This vulnerability is reported in MySQL Enterprise Monitor versions 2.3.13 and prior.

2) An unspecified error in the Optimizer subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

This vulnerability is reported in versions 5.1.70 and prior, 5.5.32 and prior and 5.6.12 and prior,

3) An unspecified error in the Optimizer subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

4) An unspecified error in the Locking subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

This vulnerability is reported in versions 5.6.11 and prior.

5) An unspecified error in the InnoDB subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

6) An unspecified error in the InnoDB subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

The vulnerabilities #3, #5, and #6 are reported in versions 5.6.12 and prior.

7) An unspecified error in the Replication subcomponent of the MySQL Server component can be exploited by authenticated users to read, update, insert, or delete MySQL Server accessible data.

This vulnerability is reported in versions 5.5.32 and prior and 5.6.12 and prior.

Solution:
Apply updates.

Further details available to Secunia VIM customers

Provided and/or discovered by:
2-7) It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for October 2013 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixMSQL
http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html#MSQL

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2013-10-24 00:02:38 UTC

CVE-2013-5807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5807):
  Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and
  5.6.x through 5.6.12 allows remote authenticated users to affect
  confidentiality and integrity via unknown vectors related to Replication.

CVE-2013-5793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5793):
  Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to InnoDB.

CVE-2013-5786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5786):
  Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to InnoDB.

CVE-2013-5770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5770):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.11 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Locking.

CVE-2013-5767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5767):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.12 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Optimizer.

CVE-2013-3839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3839):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier allows remote
  authenticated users to affect availability via unknown vectors related to
  Optimizer.

Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-04-25 00:44:12 UTC

I've pushed mysql-5.5.37 to the tree. We also have 5.6.17 in the overlay and 5.6 is only present in the overlay.

Comment 3 Sergey Popov gentoo-dev

2014-09-04 07:15:36 UTC

Thanks for your work, guys. Added to existing GLSA request

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2014-09-04 08:48:23 UTC

This issue was resolved and addressed in
 GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).