From ${URL} : Description Multiple vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious users to manipulate certain data and cause a DoS (Denial of Service) and by malicious people to cause a DoS. 1) An error within the GIS subcomponent can be exploited to cause a crash. 2) An error within the Stored Procedure subcomponent can be exploited to cause a crash. 3) An error within the Thread Pooling subcomponent can be exploited to cause a crash. 4) An error within the InnoDB subcomponent can be exploited to cause a crash. 5) An error within the InnoDB subcomponent can be exploited to cause a crash. 6) An error within the InnoDB subcomponent can be exploited to cause a crash. 7) An error within the Locking subcomponent can be exploited to cause a crash. 8) An error within the Optimizer subcomponent can be exploited to cause a crash. 9) An error within the Partition subcomponent can be exploited to cause a crash. 10) An error within the Privileges subcomponent can be exploited to cause a crash. 11) An error within the FTS subcomponent can be exploited to cause a crash. 12) An error within the InnoDB subcomponent can be exploited to cause a crash. 13) An error within the Optimizer subcomponent can be exploited to cause a crash. 14) An error within the InnoDB subcomponent can be exploited to update, insert, or delete certain data. 15) An error within the Performance Schema subcomponent can be exploited to cause a crash. 16) An error within the Replication subcomponent can be exploited to cause a crash. 17) An error within the Error Handling subcomponent can be exploited to cause a crash. Please see the vendor's advisories for a list of affected versions. Solution: Apply updates (please see the vendor's advisory for details). Further details available to Secunia VIM customers Provided and/or discovered by: It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2014 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information. Original Advisory: Oracle: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixMSQL http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html#MSQL @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Going through all the CVE's here are affected versions: < 5.6.14 < 5.5.34 < 5.1.72
CVE-2014-0437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0437): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2014-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0433): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote attackers to affect availability via unknown vectors related to Thread Pooling. CVE-2014-0431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0431): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5881. CVE-2014-0430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0430): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. CVE-2014-0427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0427): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via vectors related to FTS. CVE-2014-0420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0420): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication. CVE-2014-0412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0412): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2014-0402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0402): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking. CVE-2014-0401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0401): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors. CVE-2014-0393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0393): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB. CVE-2014-0386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0386): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2013-5908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5908): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling. CVE-2013-5894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5894): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2013-5891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5891): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. CVE-2013-5882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5882): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedures. CVE-2013-5881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5881): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2014-0431. CVE-2013-5860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5860): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
I've pushed mysql-5.5.37 into the tree. We're going to take care of this stabilization as this is the first 5.5 release we're going to mark stable.
Thanks for your work, guys. Added to existing GLSA request
This issue was resolved and addressed in GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml by GLSA coordinator Sergey Popov (pinkbyte).