Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 819660 (CVE-2021-35584, CVE-2021-35590, CVE-2021-35592, CVE-2021-35593, CVE-2021-35594, CVE-2021-35598, CVE-2021-35613, CVE-2021-35618, CVE-2021-35621) - dev-db/mysql-cluster: multiple vulnerabilities
Summary: dev-db/mysql-cluster: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-35584, CVE-2021-35590, CVE-2021-35592, CVE-2021-35593, CVE-2021-35594, CVE-2021-35598, CVE-2021-35613, CVE-2021-35618, CVE-2021-35621
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://www.oracle.com/security-alert...
Whiteboard: ~3 [noglsa]
Keywords: PMASKED
Depends on: 834113
Blocks:
  Show dependency tree
 
Reported: 2021-10-23 13:36 UTC by John Helmert III
Modified: 2022-04-13 14:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-23 13:36:55 UTC
CVE-2021-22931 (https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/):

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

CVE-2021-35584:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: ndbcluster/plugin DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

CVE-2021-35590:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2021-35592:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2021-35593:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2021-35594:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2021-35598:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2021-35613:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2021-35618:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 1.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L).

CVE-2021-35621:

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-11 14:44:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efc70d2d8a5e6eb1d891faa922ebc513e422a896

commit efc70d2d8a5e6eb1d891faa922ebc513e422a896
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-11 14:43:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-11 14:44:17 +0000

    profiles: last-rite dev-db/mysql-cluster
    
    Bug: https://bugs.gentoo.org/834113
    Bug: https://bugs.gentoo.org/638856
    Bug: https://bugs.gentoo.org/675986
    Bug: https://bugs.gentoo.org/693564
    Bug: https://bugs.gentoo.org/741548
    Bug: https://bugs.gentoo.org/746710
    Bug: https://bugs.gentoo.org/750776
    Bug: https://bugs.gentoo.org/781281
    Bug: https://bugs.gentoo.org/801697
    Bug: https://bugs.gentoo.org/805521
    Bug: https://bugs.gentoo.org/819660
    Bug: https://bugs.gentoo.org/829342
    Bug: https://bugs.gentoo.org/831445
    Bug: https://bugs.gentoo.org/833523
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-04-13 05:55:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09e310df2857835d3298359785d695c5fb9d60ee

commit 09e310df2857835d3298359785d695c5fb9d60ee
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-13 05:51:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-13 05:54:57 +0000

    dev-db/mysql-cluster: treeclean
    
    Closes: https://bugs.gentoo.org/834113
    Closes: https://bugs.gentoo.org/829342
    Closes: https://bugs.gentoo.org/833523
    Closes: https://bugs.gentoo.org/693564
    Closes: https://bugs.gentoo.org/741548
    Closes: https://bugs.gentoo.org/746710
    Closes: https://bugs.gentoo.org/781281
    Closes: https://bugs.gentoo.org/638856
    Closes: https://bugs.gentoo.org/675986
    Closes: https://bugs.gentoo.org/831445
    Closes: https://bugs.gentoo.org/750776
    Closes: https://bugs.gentoo.org/801697
    Closes: https://bugs.gentoo.org/805521
    Bug: https://bugs.gentoo.org/819660
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mysql-cluster/Manifest                    |   2 -
 dev-db/mysql-cluster/files/my.cnf-5.6            | 139 ----
 dev-db/mysql-cluster/metadata.xml                |  19 -
 dev-db/mysql-cluster/mysql-cluster-7.4.21.ebuild | 811 -----------------------
 4 files changed, 971 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 14:36:18 UTC
All done!