Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120210095417.GA27095@foo.fgeek.fi>
Date: Fri, 10 Feb 2012 11:54:17 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: MySQL 0-day - does it need a CVE?

On Fri, Feb 10, 2012 at 12:36:46AM +0400, Solar Designer wrote:
> On Thu, Feb 09, 2012 at 10:09:44PM +0200, Henri Salo wrote:
> > Oracle MySQL Server CVE-2012-0492 Remote MySQL Server Vulnerability ??? http://www.securityfocus.com/bid/51516
> 
> Why this one?
> 
> The table at the bottom of:
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
> 
> lists 27 MySQL vulnerabilities, all with CVE IDs and CVSS scoring - but
> little other info.  CVE-2012-0492 is one of them, but it does not stand
> out.  (And I have no idea what it actually is, just like I have no idea
> about the remaining 26.)
> 
> "This Critical Patch Update contains 27 new security fixes for Oracle
> MySQL.  1 of these vulnerabilities may be remotely exploitable without
> authentication, i.e., may be exploited over a network without the need
> for a username and password."
> 
> That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.
> 
> I wish we had more info.
> 
> Alexander

Sory for not being clear. I am not sure what the CVE-identifier is as I told in my last email to this thread. New cases I have seen: http://security-tracker.debian.org/tracker/CVE-2011-2262 http://security-tracker.debian.org/tracker/CVE-2012-0492 latter link with a list of "a different vulnerability than". I do NOT have any facts about these vulnerabilities. I hope Oracle coordinates issues like these with MITRE/US-CERT and adds more information to advisory and CVE after these are 100% public and distros are ready.

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.