Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546722 - <dev-db/mysql-{5.5.43,5.6.24}: multiple vulnerabilities (CVE-{2014-3569},{2015-{0405,0423,0433,0438,0439,0441,0498,0499,0500,0501,0503,0505,0506,0507,0508,0511,2566,2567,2568,2571,2573}})
Summary: <dev-db/mysql-{5.5.43,5.6.24}: multiple vulnerabilities (CVE-{2014-3569},{201...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-16 07:16 UTC by Agostino Sarubbo
Modified: 2015-07-10 13:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2015-04-16 13:01:27 UTC
Arches, please test and mark stable.

Target keywords:
dev-db/mysql-5.6.24 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

# Official test instructions:
# USE='embedded extraengine perl ssl static-libs community' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mysql-5.6.24.ebuild \
# digest clean package

Parallel testing is on by default and can be set with MTR_PARALLEL=x (default is attempted to be num cpus/cores as read by perl via /proc/cpuinfo) up to MTR_MAX_PARALLEL=x (default 8).  These may be set as additional environment variables to the above command.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-04-17 04:33:19 UTC
CVE-2015-2573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2573):
  Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and
  5.6.22 and earlier, allows remote authenticated users to affect availability
  via vectors related to DDL.

CVE-2015-2571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2571):
  Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and
  5.6.23 and earlier, allows remote authenticated users to affect availability
  via unknown vectors related to Server : Optimizer.

CVE-2015-2568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2568):
  Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and
  5.6.22 and earlier, allows remote attackers to affect availability via
  unknown vectors related to Server : Security : Privileges.

CVE-2015-2567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2567):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Security : Privileges.

CVE-2015-2566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2566):
  Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows
  remote authenticated users to affect availability via vectors related to
  DML.

CVE-2015-0511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0511):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : SP.

CVE-2015-0508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0508):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : InnoDB, a different vulnerability than CVE-2015-0506.

CVE-2015-0507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0507):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Memcached.

CVE-2015-0506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0506):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to InnoDB, a different vulnerability than CVE-2015-0508.

CVE-2015-0505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0505):
  Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and
  5.6.23 and earlier, allows remote authenticated users to affect availability
  via vectors related to DDL.

CVE-2015-0503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0503):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Partition.

CVE-2015-0501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0501):
  Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and
  5.6.23 and earlier, allows remote authenticated users to affect availability
  via unknown vectors related to Server : Compiling.

CVE-2015-0500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0500):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors.

CVE-2015-0499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0499):
  Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and
  5.6.23 and earlier, allows remote authenticated users to affect availability
  via unknown vectors related to Server : Federated.

CVE-2015-0498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0498):
  Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Replication.

CVE-2015-0441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0441):
  Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and
  5.6.22 and earlier, allows remote authenticated users to affect availability
  via unknown vectors related to Server : Security : Encryption.

CVE-2015-0439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0439):
  Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : InnoDB.

CVE-2015-0438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0438):
  Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Server : Partition.

CVE-2015-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0433):
  Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and
  5.6.22 and earlier, allows remote authenticated users to affect availability
  via vectors related to InnoDB : DML.

CVE-2015-0423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0423):
  Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Optimizer.

CVE-2015-0405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0405):
  Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to XA.
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-17 07:08:13 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-17 07:08:27 UTC
x86 stable
Comment 5 Jeroen Roovers gentoo-dev 2015-04-17 17:02:36 UTC
Stable for HPPA.
Comment 6 Jeroen Roovers gentoo-dev 2015-04-22 03:53:21 UTC
Stable for PPC64.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-04-24 21:27:28 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-04-28 07:30:00 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-04-28 07:46:47 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-29 09:13:50 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-05-27 13:06:22 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Brian Evans Gentoo Infrastructure gentoo-dev 2015-05-27 16:30:00 UTC
Cleanup done.

--- ./ChangeLog
+++ ./ChangeLog
@@ -4,0 +5,4 @@
+  27 May 2015; Brian Evans <grknight@gentoo.org> -mysql-5.5.42.ebuild,
+  -mysql-5.6.22.ebuild, -mysql-5.6.23.ebuild:
+  Drop vulnerable versions for security bug 546722
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-28 19:02:36 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-07-10 13:27:58 UTC
This issue was resolved and addressed in
 GLSA 201507-19 at https://security.gentoo.org/glsa/201507-19
by GLSA coordinator Mikle Kolyada (Zlogene).