Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537216 (CVE-2014-6568) - <dev-db/mysql-5.6.22: multiple vulnerabilities (CVE-2014-6568,CVE-2015-{0374,0381,0382,0385,0391,0409,0411,0432})
Summary: <dev-db/mysql-5.6.22: multiple vulnerabilities (CVE-2014-6568,CVE-2015-{0374,...
Status: RESOLVED FIXED
Alias: CVE-2014-6568
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on: 525296
Blocks:
  Show dependency tree
 
Reported: 2015-01-21 09:39 UTC by Agostino Sarubbo
Modified: 2015-04-11 20:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2015-01-21 10:18:27 UTC
@maintainers: Can you please advise as to the impact on dev-db/mariadb following this security announcement and whether we should treat the packages commonly in this bug or clone it for parallel handling?
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2015-01-21 13:35:10 UTC
(In reply to Kristian Fiskerstrand from comment #1)
> @maintainers: Can you please advise as to the impact on dev-db/mariadb
> following this security announcement and whether we should treat the
> packages commonly in this bug or clone it for parallel handling?

MariaDB 5.5.x follows the MySQL releases and then adds in their own changes.

The in the case of 10.0.x, MariaDB includes the 5.5 code base of MySQL as well as some parts of 5.6 though some 5.6 features are reimplemented.

MariaDB announces what releases fix what CVEs here[1].

Unfortunately, with Oracle being so secretive about what they fix, it is difficult to coordinate until MariaDB publishes.

[1] https://mariadb.com/kb/en/mariadb/development/security/
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2015-01-21 16:30:25 UTC
(In reply to Brian Evans from comment #2)
> (In reply to Kristian Fiskerstrand from comment #1)
> > @maintainers: Can you please advise as to the impact on dev-db/mariadb
> > following this security announcement and whether we should treat the
> > packages commonly in this bug or clone it for parallel handling?
> 
> MariaDB 5.5.x follows the MySQL releases and then adds in their own changes.
> 
> The in the case of 10.0.x, MariaDB includes the 5.5 code base of MySQL as
> well as some parts of 5.6 though some 5.6 features are reimplemented.
> 
> MariaDB announces what releases fix what CVEs here[1].
> 
> Unfortunately, with Oracle being so secretive about what they fix, it is
> difficult to coordinate until MariaDB publishes.
> 
> [1] https://mariadb.com/kb/en/mariadb/development/security/


Thanks, continuing mariadb tracking in bug 537262
Comment 4 Brian Evans Gentoo Infrastructure gentoo-dev 2015-01-23 15:13:03 UTC
dev-db/mysql-5.6.22 has been in the tree for a while and bug #525296 has started stables (So far just arm and hppa)

This satisfies the security versions listed in the Oracle link.

If 5.6.22 is the main target, MariaDB-10.0.15-r1 must be stabled together in this particular case or else users can be forced to switch implementations with possible unintended consequences if they are not paying attention.

Otherwise, 5.5.41 is also in the tree.

I do know that multilib needs 5.6.22.

I just want to make clear the situation to best serve our users.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-24 00:28:13 UTC
CVE-2015-0432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0432):
  Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows
  remote authenticated users to affect availability via vectors related to
  Server : InnoDB : DDL : Foreign Key.

CVE-2015-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0411):
  Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and
  5.6.21 and earlier, allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Server : Security
  : Encryption.

CVE-2015-0409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0409):
  Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Optimizer.

CVE-2015-0391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0391):
  Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and
  5.6.19 and earlier, allows remote authenticated users to affect availability
  via vectors related to DDL.

CVE-2015-0385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0385):
  Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows
  remote authenticated users to affect availability via unknown vectors
  related to Pluggable Auth.

CVE-2015-0382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0382):
  Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and
  5.6.21 and earlier allows remote attackers to affect availability via
  unknown vectors related to Server : Replication, a different vulnerability
  than CVE-2015-0381.

CVE-2015-0381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0381):
  Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and
  5.6.21 and earlier allows remote attackers to affect availability via
  unknown vectors related to Server : Replication, a different vulnerability
  than CVE-2015-0382.

CVE-2015-0374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0374):
  Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and
  5.6.21 and earlier allows remote authenticated users to affect
  confidentiality via unknown vectors related to Server : Security :
  Privileges : Foreign Key.

CVE-2014-6568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6568):
  Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and
  5.6.21 and earlier, allows remote authenticated users to affect availability
  via vectors related to Server : InnoDB : DML.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-16 14:17:21 UTC
Arches, Thank you for your work.
stabilized as part of Bug #525296

Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 7 Brian Evans Gentoo Infrastructure gentoo-dev 2015-02-16 14:29:43 UTC
Added to package.mask

# Brian Evans <grknight@gentoo.org> (16 Feb 2015)
# Mask MySQL and MariaDB 5.5 series for security bug 537216
# Please make sure mysql_upgrade has been run before moving to 5.6
# Not removing until roughly Dec 2015 as an upgrade path must
# exist or else the server may crash if the admin has not done
# proper maintenance prior to updating
=virtual/mysql-5.5
=dev-db/mysql-5.5*
=dev-db/mariadb-5.5*
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 20:43:13 UTC
This issue was resolved and addressed in
 GLSA 201504-05 at https://security.gentoo.org/glsa/201504-05
by GLSA coordinator Yury German (BlueKnight).