Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120618185001.0a5ad2fd@redhat.com>
Date: Mon, 18 Jun 2012 18:50:01 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com, secalert_us@...cle.com
Cc: serg@...typrogram.com
Subject: Re: MySQL CVEs (was: Security vulnerability in
 MySQL/MariaDB sql/password.c)

Hijacking this thread a bit...

On Sat, 9 Jun 2012 17:30:38 +0200 Sergei Golubchik wrote:

> MySQL bug report:
> http://bugs.mysql.com/bug.php?id=64884
> MySQL fix:
> http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
> MySQL changelog:
> http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

In addition to 64884 / CVE-2012-2122 reported by Sergei, 5.1.63 release
notes also mention additional security fix:

 * Security Fix: Bug #59387 was fixed.

which can be tracked to the following commit:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16

This allows non-admin mysql user to crash mysqld.  The fix is also in
5.5.24, but it is not mentioned in 5.5.24 releases notes or changelog
file included in the sources.  5.0.x is affected too.  Can the CVE be
assigned?  I'm CCing Oracle security team explicitly, so they can reply
with their existing assignment (if any), and/or are aware of the new
assignment.


Additionally, 5.5.23 changes include another security fix:

 * Security Fix: Bug #59533 was fixed.

However, I've not had much luck trying to find a commit or any further
info for this issue.  Upstream bug is private.  Does anyone have any
further info?


Additionally, following bugs try to collect info on MySQL security
fixes in the last released and an upcoming Oracle CPU:

https://bugzilla.redhat.com/show_bug.cgi?id=832477
https://bugzilla.redhat.com/show_bug.cgi?id=832540

It would be nice if Oracle could confirm the mapping between CVEs and
particular issues to avoid any incorrect guesses.

If anyone else has been looking into trying to map Oracle assigned CVEs
to specific changes and has any info missing in the above bugs, feel
free to comment there.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.