Description Some vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious users to disclose sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by malicious people to conduct spoofing attacks and bypass certain security restrictions. 1) Some vulnerabilities are caused due to a bundled vulnerable version of Apache Struts within the MySQL Enterprise Monitor component. For more information: SA53693 SA54118 This vulnerability is reported in MySQL Enterprise Monitor versions 2.3.13 and prior. 2) An unspecified error in the Optimizer subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash. This vulnerability is reported in versions 5.1.70 and prior, 5.5.32 and prior and 5.6.12 and prior, 3) An unspecified error in the Optimizer subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash. 4) An unspecified error in the Locking subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash. This vulnerability is reported in versions 5.6.11 and prior. 5) An unspecified error in the InnoDB subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash. 6) An unspecified error in the InnoDB subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash. The vulnerabilities #3, #5, and #6 are reported in versions 5.6.12 and prior. 7) An unspecified error in the Replication subcomponent of the MySQL Server component can be exploited by authenticated users to read, update, insert, or delete MySQL Server accessible data. This vulnerability is reported in versions 5.5.32 and prior and 5.6.12 and prior. Solution: Apply updates. Further details available to Secunia VIM customers Provided and/or discovered by: 2-7) It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for October 2013 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information. Original Advisory: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixMSQL http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html#MSQL
CVE-2013-5807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5807): Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication. CVE-2013-5793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5793): Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2013-5786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5786): Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2013-5770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5770): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking. CVE-2013-5767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5767): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2013-3839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3839): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
I've pushed mysql-5.5.37 to the tree. We also have 5.6.17 in the overlay and 5.6 is only present in the overlay.
Thanks for your work, guys. Added to existing GLSA request
This issue was resolved and addressed in GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml by GLSA coordinator Sergey Popov (pinkbyte).