Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488212 (CVE-2013-2134) - <dev-db/mysql-5.5.39 : Multiple vulnerabilities (CVE-2013-{3839,5767,5770,5786,5793,5807})
Summary: <dev-db/mysql-5.5.39 : Multiple vulnerabilities (CVE-2013-{3839,5767,5770,578...
Status: RESOLVED FIXED
Alias: CVE-2013-2134
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/55327/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-16 11:05 UTC by Agostino Sarubbo
Modified: 2014-09-04 08:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-16 11:05:43 UTC
Description

Some vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious users to disclose sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by malicious people to conduct spoofing attacks and bypass certain security restrictions.

1) Some vulnerabilities are caused due to a bundled vulnerable version of Apache Struts within the MySQL Enterprise Monitor component.

For more information:
SA53693
SA54118

This vulnerability is reported in MySQL Enterprise Monitor versions 2.3.13 and prior.

2) An unspecified error in the Optimizer subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

This vulnerability is reported in versions 5.1.70 and prior, 5.5.32 and prior and 5.6.12 and prior,

3) An unspecified error in the Optimizer subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

4) An unspecified error in the Locking subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

This vulnerability is reported in versions 5.6.11 and prior.

5) An unspecified error in the InnoDB subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

6) An unspecified error in the InnoDB subcomponent of the MySQL Server component can be exploited by authenticated users to cause a hang or frequently repeatable crash.

The vulnerabilities #3, #5, and #6 are reported in versions 5.6.12 and prior.

7) An unspecified error in the Replication subcomponent of the MySQL Server component can be exploited by authenticated users to read, update, insert, or delete MySQL Server accessible data.

This vulnerability is reported in versions 5.5.32 and prior and 5.6.12 and prior.


Solution:
Apply updates.

Further details available to Secunia VIM customers

Provided and/or discovered by:
2-7) It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for October 2013 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixMSQL
http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html#MSQL
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:02:38 UTC
CVE-2013-5807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5807):
  Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and
  5.6.x through 5.6.12 allows remote authenticated users to affect
  confidentiality and integrity via unknown vectors related to Replication.

CVE-2013-5793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5793):
  Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to InnoDB.

CVE-2013-5786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5786):
  Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to InnoDB.

CVE-2013-5770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5770):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.11 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Locking.

CVE-2013-5767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5767):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.6.12 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Optimizer.

CVE-2013-3839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3839):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier allows remote
  authenticated users to affect availability via unknown vectors related to
  Optimizer.
Comment 2 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-04-25 00:44:12 UTC
I've pushed mysql-5.5.37 to the tree. We also have 5.6.17 in the overlay and 5.6 is only present in the overlay.
Comment 3 Sergey Popov gentoo-dev Security 2014-09-04 07:15:36 UTC
Thanks for your work, guys. Added to existing GLSA request
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-09-04 08:48:23 UTC
This issue was resolved and addressed in
 GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).