Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 644986 (CVE-2018-2562, CVE-2018-2573, CVE-2018-2583, CVE-2018-2590, CVE-2018-2591, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2645, CVE-2018-2647, CVE-2018-2665, CVE-2018-2668, CVE-2018-2696, CVE-2018-2703) - <dev-db/mysql-{5.5.59,5.6.39}: Multiple Vulnerabilities (CVE-2018-{2562,2622,2640,2665,2668})
Summary: <dev-db/mysql-{5.5.59,5.6.39}: Multiple Vulnerabilities (CVE-2018-{2562,2622,...
Status: RESOLVED FIXED
Alias: CVE-2018-2562, CVE-2018-2573, CVE-2018-2583, CVE-2018-2590, CVE-2018-2591, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2645, CVE-2018-2647, CVE-2018-2665, CVE-2018-2668, CVE-2018-2696, CVE-2018-2703
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2017-10155, CVE-2017-10227, CVE-2017-10268, CVE-2017-10276, CVE-2017-10279, CVE-2017-10283, CVE-2017-10286, CVE-2017-10294, CVE-2017-10314, CVE-2017-10378, CVE-2017-10379, CVE-2017-10384
  Show dependency tree
 
Reported: 2018-01-18 22:00 UTC by Attila Tóth
Modified: 2018-11-25 03:56 UTC (History)
2 users (show)

See Also:
Package list:
dev-db/mysql-5.6.39
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Attila Tóth 2018-01-18 22:00:12 UTC
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes.

Reproducible: Always
Comment 1 Attila Tóth 2018-01-18 22:03:45 UTC
5.6.38 seems to be OK, 5.7 is not in the tree. 5.5.58 might worth a bump for whoever it may concern, because its keyworded and 5.6.38 is already stable for many architectures...
Comment 2 Larry the Git Cow gentoo-dev 2018-01-19 02:33:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c17b1113e3a9e123ab6d0c1d6e39f78aa696e6a

commit 8c17b1113e3a9e123ab6d0c1d6e39f78aa696e6a
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2018-01-19 02:33:00 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2018-01-19 02:33:00 +0000

    dev-db/mysql: Version bump for 5.6.39
    
    Bug: https://bugs.gentoo.org/644986
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 dev-db/mysql/Manifest            |   1 +
 dev-db/mysql/mysql-5.6.39.ebuild | 192 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 193 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cc2f5ec99aed048bcfe488dfcbc894904058d61

commit 6cc2f5ec99aed048bcfe488dfcbc894904058d61
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2018-01-19 02:08:09 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2018-01-19 02:08:09 +0000

    dev-db/mysql: Version bump for 5.5.59
    
    Bug: https://bugs.gentoo.org/644986
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 dev-db/mysql/Manifest            |   1 +
 dev-db/mysql/mysql-5.5.59.ebuild | 133 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 134 insertions(+)}
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2018-01-19 11:15:24 UTC
CVE-2018-2668 (https://nvd.nist.gov/vuln/detail/CVE-2018-2668):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: Optimizer). Supported versions that are affected are 5.5.58 and
  prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
  vulnerability allows low privileged attacker with network access via
  multiple protocols to compromise MySQL Server. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base
  Score 6.5 (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2665 (https://nvd.nist.gov/vuln/detail/CVE-2018-2665):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: Optimizer). Supported versions that are affected are 5.5.58 and
  prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
  vulnerability allows low privileged attacker with network access via
  multiple protocols to compromise MySQL Server. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base
  Score 6.5 (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2640 (https://nvd.nist.gov/vuln/detail/CVE-2018-2640):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: Optimizer). Supported versions that are affected are 5.5.58 and
  prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable
  vulnerability allows low privileged attacker with network access via
  multiple protocols to compromise MySQL Server. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base
  Score 6.5 (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2622 (https://nvd.nist.gov/vuln/detail/CVE-2018-2622):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: DDL). Supported versions that are affected are 5.5.58 and prior,
  5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability
  allows low privileged attacker with network access via multiple protocols to
  compromise MySQL Server. Successful attacks of this vulnerability can result
  in unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability
  impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2562 (https://nvd.nist.gov/vuln/detail/CVE-2018-2562):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server : Partition). Supported versions that are affected are 5.5.58 and
  prior, 5.6.38 and prior and 5.7.19 and prior. Easily exploitable
  vulnerability allows low privileged attacker with network access via
  multiple protocols to compromise MySQL Server. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server as well as
  unauthorized update, insert or delete access to some of MySQL Server
  accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability
  impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-01-19 13:23:11 UTC
@ Attila: Thanks for the report but please don't set versions in summary next time.

> 5.6.38 seems to be OK
No, it is not. 5.6.38 is vulnerable.
Comment 5 Attila Tóth 2018-01-19 13:28:44 UTC
(In reply to Thomas Deutschmann from comment #4)
> @ Attila: Thanks for the report but please don't set versions in summary
> next time.
> 
> > 5.6.38 seems to be OK
> No, it is not. 5.6.38 is vulnerable.

Sorry: the source I was citing was wrong and I would have to double check the versions. Next time I will be more careful.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-01-22 14:22:49 UTC
CVE-2018-2703 (https://nvd.nist.gov/vuln/detail/CVE-2018-2703):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server : Security : Privileges). Supported versions that are affected are
  5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability
  allows low privileged attacker with network access via multiple protocols to
  compromise MySQL Server. Successful attacks of this vulnerability can result
  in unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability
  impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2696 (https://nvd.nist.gov/vuln/detail/CVE-2018-2696):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server : Security : Privileges). Supported versions that are affected are
  5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability
  allows unauthenticated attacker with network access via multiple protocols
  to compromise MySQL Server. Successful attacks of this vulnerability can
  result in unauthorized ability to cause a hang or frequently repeatable
  crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability
  impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2647 (https://nvd.nist.gov/vuln/detail/CVE-2018-2647):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: Replication). Supported versions that are affected are 5.6.38 and
  prior and 5.7.20 and prior. Easily exploitable vulnerability allows high
  privileged attacker with network access via multiple protocols to compromise
  MySQL Server. Successful attacks of this vulnerability can result in
  unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of MySQL Server as well as unauthorized update, insert or
  delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score
  5.5 (Integrity and Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-2645 (https://nvd.nist.gov/vuln/detail/CVE-2018-2645):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: Performance Schema). Supported versions that are affected are 5.6.38
  and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high
  privileged attacker with network access via multiple protocols to compromise
  MySQL Server. Successful attacks of this vulnerability can result in
  unauthorized access to critical data or complete access to all MySQL Server
  accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality impacts). CVSS
  Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVE-2018-2612 (https://nvd.nist.gov/vuln/detail/CVE-2018-2612):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  InnoDB). Supported versions that are affected are 5.6.38 and prior and
  5.7.20 and prior. Easily exploitable vulnerability allows high privileged
  attacker with network access via multiple protocols to compromise MySQL
  Server. Successful attacks of this vulnerability can result in unauthorized
  creation, deletion or modification access to critical data or all MySQL
  Server accessible data and unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base
  Score 6.5 (Integrity and Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

CVE-2018-2591 (https://nvd.nist.gov/vuln/detail/CVE-2018-2591):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server : Partition). Supported versions that are affected are 5.6.38 and
  prior and 5.7.19 and prior. Easily exploitable vulnerability allows high
  privileged attacker with network access via multiple protocols to compromise
  MySQL Server. Successful attacks of this vulnerability can result in
  unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability
  impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2590 (https://nvd.nist.gov/vuln/detail/CVE-2018-2590):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: Performance Schema). Supported versions that are affected are 5.6.38
  and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high
  privileged attacker with network access via multiple protocols to compromise
  MySQL Server. Successful attacks of this vulnerability can result in
  unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability
  impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-2583 (https://nvd.nist.gov/vuln/detail/CVE-2018-2583):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Stored Procedure). Supported versions that are affected are 5.6.38 and prior
  and 5.7.20 and prior. Easily exploitable vulnerability allows high
  privileged attacker with network access via multiple protocols to compromise
  MySQL Server. While the vulnerability is in MySQL Server, attacks may
  significantly impact additional products. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base
  Score 6.8 (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).

CVE-2018-2573 (https://nvd.nist.gov/vuln/detail/CVE-2018-2573):
  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
  Server: GIS). Supported versions that are affected are 5.6.38 and prior and
  5.7.20 and prior. Easily exploitable vulnerability allows low privileged
  attacker with network access via multiple protocols to compromise MySQL
  Server. Successful attacks of this vulnerability can result in unauthorized
  ability to cause a hang or frequently repeatable crash (complete DOS) of
  MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-01-25 18:26:08 UTC
@ Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mysql-5.6.39 alpha amd64 arm hppa ia64 ppc ppc64 x86


# Official test instructions:
# USE='embedded extraengine perl server openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mysql-5.6.39.ebuild \
# clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-27 21:24:35 UTC
amd64 stable
Comment 9 Sergei Trofimovich gentoo-dev 2018-02-04 20:42:44 UTC
ia64 stable
Comment 10 Markus Meier gentoo-dev 2018-02-05 21:25:28 UTC
arm stable
Comment 11 Tomáš Mózes 2018-02-07 09:52:16 UTC
Seems like a newly released Mariadb is also affected by some of those CVEs.

https://mariadb.com/kb/en/library/mariadb-10131-release-notes/
Comment 12 Thomas Deutschmann gentoo-dev Security 2018-02-14 13:00:03 UTC
x86 stable
Comment 13 Thomas Deutschmann gentoo-dev Security 2018-02-19 23:05:07 UTC
Added to an existing GLSA.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2018-02-20 01:00:24 UTC
This issue was resolved and addressed in
 GLSA 201802-04 at https://security.gentoo.org/glsa/201802-04
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann gentoo-dev Security 2018-02-20 01:02:33 UTC
Re-opening for remaining architectures.
Comment 16 Tobias Klausmann gentoo-dev 2018-03-04 16:25:51 UTC
Stable on alpha.
Comment 17 Sergei Trofimovich gentoo-dev 2018-03-30 12:04:13 UTC
ppc64 stable
Comment 18 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-05-07 16:29:46 UTC
@Arches,

Stabilization will probably be finished in bug 655182.
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-25 03:56:33 UTC
tree is clean