Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518718 - <dev-db/mysql-5.5.39: Multiple Vulnerabilities (CVE-2014-{2494,4207,4243,4258,4260,4274,4287,6463,6474,6478,6484,6489,6495,6505,6520,6530,6551,6564})
Summary: <dev-db/mysql-5.5.39: Multiple Vulnerabilities (CVE-2014-{2494,4207,4243,4258...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/60599/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-01 07:29 UTC by Agostino Sarubbo
Modified: 2014-10-22 23:30 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-01 07:29:50 UTC
From ${URL} :

Description

A security issue and two vulnerabilities have been reported in MySQL, where one has an unknown impact and others can be exploited by malicious, local users to potentially gain escalated privileges and by malicious people to disclose potentially sensitive 
information and manipulate certain data.

This security issue is reported in the commercial MySQL version prior to 5.6.20.

2) An error when handling MyISAM temporary files can be exploited to execute arbitrary code.

3) An off-by-one error related to certificate decoding in yaSSL can be exploited to cause a buffer overflow.

The vulnerabilities #2 and #3 are reported in versions prior to 5.5.39 and prior to 5.6.20.


Solution:
Update to version 5.5.39 or 5.6.20.

Provided and/or discovered by:
2, 3) Reported by the vendor.

Original Advisory:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-20.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2014-08-02 01:18:41 UTC
dev-db/mysql ebuilds updated in tree.

MySQL team wishes to stable 5.5.39 but we want to wait for dev-db/mariadb-5.5.39 to appear to stable all together.  This is usually in a few days.
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2014-08-05 17:50:54 UTC
Arches, please test and mark stable.

Target keywords:

=dev-db/mysql-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=virtual/mysql-5.5 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Deps on certain arches:
@alpha: dev-libs/jemalloc needs completed wrt bug 512330
@ppc,ppc64: dev-util/systemtap needs completed wrt bug 512328

Test instructions for dev-db/mysql and dev-db/mariadb:

# Official test instructions:
# USE='-cluster embedded extraengine perl ssl static-libs community' \
# FEATURES='test userpriv -usersandbox' \
# ebuild ${PN}-X.X.XX.ebuild \
# digest clean package
Comment 3 Jeroen Roovers gentoo-dev 2014-08-06 21:26:04 UTC
(In reply to Brian Evans from comment #2)
> Arches, please test and mark stable.
> =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

mariadb is stable for no architecture and unkeyworded for many of the ones you list, so this stable request should not include it.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-08-06 21:59:45 UTC
(In reply to Jeroen Roovers from comment #3)
> (In reply to Brian Evans from comment #2)
> > Arches, please test and mark stable.
> > =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> 
> mariadb is stable for no architecture and unkeyworded for many of the ones
> you list, so this stable request should not include it.

+1 here. In my opinion we should not stabilize mariadb here.
Comment 5 Brian Evans Gentoo Infrastructure gentoo-dev 2014-08-06 22:36:45 UTC
(In reply to Jeroen Roovers from comment #3)
> (In reply to Brian Evans from comment #2)
> > Arches, please test and mark stable.
> > =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> 
> mariadb is stable for no architecture and unkeyworded for many of the ones
> you list, so this stable request should not include it.

While hppa has passed on this in the past, the rest have the keyword.

MariaDB 5.5.39 includes a merge from MySQL 5.5.39.

https://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4261
shows this merge which includes fixes to yaSSL and one patch to MyISAM.

MySQL team wishes MariaDB to be the default implementation for new installs through virtual/mysql and would like this stabled.

I'll take this to the other security bug if that is more appropriate.
Comment 6 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-07 00:30:55 UTC
(In reply to Mikle Kolyada from comment #4)
> (In reply to Jeroen Roovers from comment #3)
> > (In reply to Brian Evans from comment #2)
> > > Arches, please test and mark stable.
> > > =dev-db/mariadb-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> > 
> > mariadb is stable for no architecture and unkeyworded for many of the ones
> > you list, so this stable request should not include it.
> 
> +1 here. In my opinion we should not stabilize mariadb here.

While that might be true, mariadb-5.1* had stable keywords and is also affected by some of the security issues that affect mysql-5.1*.
The mysql team wants to get both stable and is defaulting on mariadb for the 5.5 series. If you don't want to deal with this in a security bug, we can always take care of the stabilization in the 5.5 bug and have this bug depend on that.
Comment 7 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-07 00:32:50 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #6)
> While that might be true, mariadb-5.1* had stable keywords and is also
> affected by some of the security issues that affect mysql-5.1*.

I meant mysql-5.5 above. Most of the security issues that affect the mysql releases since the last mysql-5.1* stable version, also affect mariadb.
Comment 8 Jeroen Roovers gentoo-dev 2014-08-07 10:38:16 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #7)
> I meant mysql-5.5 above. Most of the security issues that affect the mysql
> releases since the last mysql-5.1* stable version, also affect mariadb.

Packages with no stable keywords never get stabilisation requests for security bugs.
Comment 9 Jeroen Roovers gentoo-dev 2014-08-07 10:40:09 UTC
Stable for HPPA.
Comment 10 Brian Evans Gentoo Infrastructure gentoo-dev 2014-08-07 16:21:44 UTC
dev-db/mariadb stable moved to bug 474800
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-08 13:09:16 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-08 13:09:27 UTC
x86 stable
Comment 13 Tobias Klausmann gentoo-dev 2014-08-08 13:50:41 UTC
All three stable on alpha.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-08 14:40:44 UTC
Just to be clear as part of this bug the Stable is for:

=dev-db/mysql-5.5.39 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=virtual/mysql-5.5 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Bug # 474800 (NON Security) is for:
=dev-db/mariadb-5.5.39
Comment 15 Agostino Sarubbo gentoo-dev 2014-08-08 21:36:07 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:22 UTC
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-08-10 09:14:29 UTC
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-08-10 17:27:24 UTC
sparc stable
Comment 19 Markus Meier gentoo-dev 2014-08-13 15:26:22 UTC
arm stable, all arches done.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-16 21:47:05 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).
Comment 21 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-08-18 23:13:32 UTC
(In reply to Yury German from comment #20)
> Arches, Thank you for your work
> Maintainer(s), please drop the vulnerable version(s).
No.

Please read the mysql news item RFC on -dev, we'll be keeping the old version around for migration purposes for some time.
Comment 22 Sergey Popov gentoo-dev Security 2014-08-19 08:00:29 UTC
(In reply to Robin Johnson from comment #21)
> (In reply to Yury German from comment #20)
> > Arches, Thank you for your work
> > Maintainer(s), please drop the vulnerable version(s).
> No.
> 
> Please read the mysql news item RFC on -dev, we'll be keeping the old
> version around for migration purposes for some time.

Then, please hard-mask it with apropriate comment. That will make both maintainers and security guys happy ;-)
Comment 23 Sergey Popov gentoo-dev Security 2014-09-04 07:25:10 UTC
Thanks for your work guys, added to existing GLSA request.

Vulnerable versions of dev-db/mysql and dev-db/mariadb are masked
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-09-04 08:48:53 UTC
This issue was resolved and addressed in
 GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2014-10-22 23:30:23 UTC
CVE-2014-6564 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6564):
  Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows
  remote authenticated users to affect availability via vectors related to
  SERVER:INNODB FULLTEXT SEARCH DML.

CVE-2014-6551 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6551):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows local users to affect confidentiality via vectors
  related to CLIENT:MYSQLADMIN.

CVE-2014-6530 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6530):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote authenticated users to affect
  confidentiality, integrity, and availability via vectors related to
  CLIENT:MYSQLDUMP.

CVE-2014-6520 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6520):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier allows
  remote authenticated users to affect availability via vectors related to
  SERVER:DDL.

CVE-2014-6505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6505):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote authenticated users to affect availability
  via vectors related to SERVER:MEMORY STORAGE ENGINE.

CVE-2014-6495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6495):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote attackers to affect availability via
  vectors related to SERVER:SSL:yaSSL.

CVE-2014-6489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6489):
  Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows
  remote authenticated users to affect integrity and availability via vectors
  related to SERVER:SP.

CVE-2014-6484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6484):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote authenticated users to affect availability
  via vectors related to SERVER:DML.

CVE-2014-6478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6478):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote attackers to affect integrity via vectors
  related to SERVER:SSL:yaSSL.

CVE-2014-6474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6474):
  Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows
  remote authenticated users to affect availability via vectors related to
  SERVER:MEMCACHED.

CVE-2014-6463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6463):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows remote authenticated users to affect availability
  via vectors related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML.

CVE-2014-4287 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4287):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows remote authenticated users to affect availability
  via vectors related to SERVER:CHARACTER SETS.

CVE-2014-4274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4274):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and
  5.6.19 and earlier allows local users to affect confidentiality, integrity,
  and availability via vectors related to SERVER:MyISAM.

CVE-2014-4260 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4260):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated
  users to affect integrity and availability via vectors related to SRCHAR.

CVE-2014-4258 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4258):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users
  to affect confidentiality, integrity, and availability via vectors related
  to SRINFOSC.

CVE-2014-4243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4243):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users
  to affect availability via vectors related to ENFED.

CVE-2014-4207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4207):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier allows remote authenticated users to affect availability
  via vectors related to SROPTZR.

CVE-2014-2494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2494):
  Unspecified vulnerability in the MySQL Server component in Oracle MySQL
  5.5.37 and earlier allows remote authenticated users to affect availability
  via vectors related to ENARC.