Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120209203646.GA12774@openwall.com>
Date: Fri, 10 Feb 2012 00:36:46 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: MySQL 0-day - does it need a CVE?

On Thu, Feb 09, 2012 at 10:09:44PM +0200, Henri Salo wrote:
> Oracle MySQL Server CVE-2012-0492 Remote MySQL Server Vulnerability ??? http://www.securityfocus.com/bid/51516

Why this one?

The table at the bottom of:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

lists 27 MySQL vulnerabilities, all with CVE IDs and CVSS scoring - but
little other info.  CVE-2012-0492 is one of them, but it does not stand
out.  (And I have no idea what it actually is, just like I have no idea
about the remaining 26.)

"This Critical Patch Update contains 27 new security fixes for Oracle
MySQL.  1 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need
for a username and password."

That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.

I wish we had more info.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.