Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507802 (CVE-2014-0384) - <dev-db/mysql-5.5.39 : Multiple Vulnerabilities (CVE-2014-{0384,2419,2430,2431,2432,2434,2435,2436,2438,2440})
Summary: <dev-db/mysql-5.5.39 : Multiple Vulnerabilities (CVE-2014-{0384,2419,2430,243...
Status: RESOLVED FIXED
Alias: CVE-2014-0384
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57940/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-16 08:31 UTC by Agostino Sarubbo
Modified: 2014-09-04 08:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-16 08:31:35 UTC
From ${URL} :

Description

Multiple vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious users to cause a DoS (Denial of Service) and compromise a vulnerable system and by malicious people to disclose sensitive information, manipulate certain data, and cause a DoS.

1) An error within the InnoDB subcomponent can be exploited to execute arbitrary code.

2) An error within the RBR subcomponent can be exploited to execute arbitrary code.

3) An error within the MySQL Client can be exploited to disclose, update, insert, or delete certain data and to cause a crash.

4) An error within the DML subcomponent can be exploited to cause a crash.

5) An error within the InnoDB subcomponent can be exploited to cause a crash.

6) An error within the MyISAM subcomponent can be exploited to cause a crash.

7) An error within the Optimizer subcomponent can be exploited to cause a crash.

8) An error within the Partition subcomponent can be exploited to cause a crash.

9) An error within the XML subcomponent can be exploited to cause a crash.

10) An error within the Performance Schema subcomponent can be exploited to cause a crash.

11) An error within the Privileges subcomponent can be exploited to cause a crash.

12) An error within the Replication subcomponent can be exploited to cause a crash.

13) An error within the Federated subcomponent can be exploited to cause a crash.

14) An error within the Options subcomponent can be exploited to cause a crash.

Please see the vendor's advisories for a list of affected versions.


Solution:
Apply update.

Further details available to Secunia VIM customers

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2014 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixMSQL


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:57:11 UTC
CVE-2014-2440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2440):
  Unspecified vulnerability in the MySQL Client component in Oracle MySQL
  5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors.

CVE-2014-2438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2438):
  Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and
  5.6.15 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Replication.

CVE-2014-2436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2436):
  Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and
  5.6.16 and earlier allows remote authenticated users to affect
  confidentiality, integrity, and availability via vectors related to RBR.

CVE-2014-2435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2435):
  Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to InnoDB.

CVE-2014-2434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2434):
  Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows
  remote authenticated users to affect availability via vectors related to
  DML.

CVE-2014-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2432):
  Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and
  earlier and 5.6.15 and earlier allows remote authenticated users to affect
  availability via unknown vectors related to Federated.

CVE-2014-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2431):
  Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and
  5.6.16 and earlier allows remote attackers to affect availability via
  unknown vectors related to Options.

CVE-2014-2430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2430):
  Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and
  5.6.16 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Performance Schema.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 20:06:27 UTC
CVE-2014-2419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2419):
  Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and
  5.6.15 and earlier allows remote authenticated users to affect availability
  via unknown vectors related to Partition.

CVE-2014-0384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0384):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users
  to affect availability via vectors related to XML.
Comment 3 Sergey Popov gentoo-dev Security 2014-09-04 07:09:20 UTC
Added to existing GLSA request
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-09-04 08:48:45 UTC
This issue was resolved and addressed in
 GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).