Bug 45633 - mysql-5.5: Multiple issues (4.2)
mysql-5.5: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
https://dev.mysql.com/doc/relnotes/my...
:
Depends on:
Blocks: 45634 46865
  Show dependency treegraph
 
Reported: 2017-11-01 16:42 CET by Arvid Requate
Modified: 2018-04-23 09:53 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-11-01 16:42:16 CET
Upstream Debian package version 5.5.58-0+deb8u1 fixes these issues:

* Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data (CVE-2017-10268)
* Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server (CVE-2017-10378)
* Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data (CVE-2017-10379)
* Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server (CVE-2017-10384)
Comment 1 Philipp Hahn univentionstaff 2018-01-25 10:59:35 CET
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 2 Philipp Hahn univentionstaff 2018-01-25 17:35:17 CET
mysql-5.5 (5.5.59-0+deb8u1)

* CVE-2018-2562: Partition unspecified vulnerability (CPU Jan 2018)
* CVE-2018-2622: DDL unspecified vulnerability (CPU Jan 2018)
* CVE-2018-2640: Optimizer unspecified vulnerability (CPU Jan 2018)
* CVE-2018-2665: Optimizer unspecified vulnerability (CPU Jan 2018)
* CVE-2018-2668: Optimizer unspecified vulnerability (CPU Jan 2018)

801b6354e4 Bug #45633: mysql-5.5.59
Comment 3 Arvid Requate univentionstaff 2018-04-12 19:44:35 CEST
The Advisroy lists CVEs already fixed in 5.5.57-0+deb8u1 :
  http://errata.software-univention.de/ucs/4.2/125.html



Otherwise verified:
* Upstream source package imported
* UCS patches applied during built
* Package update worked
Comment 4 Philipp Hahn univentionstaff 2018-04-18 06:17:21 CEST
(In reply to Arvid Requate from comment #3)
> The Advisroy lists CVEs already fixed in 5.5.57-0+deb8u1 :
>   http://errata.software-univention.de/ucs/4.2/125.html

Thanks, fixed:
[4.2-3] a3a771e0d4 Bug #45633: mysql 5.5.59-0+deb8u1 YAML
 doc/errata/staging/mysql-5.5.yaml | 60 +++++++-----------------------------------------------------
 1 file changed, 7 insertions(+), 53 deletions(-)

See <http://metadata.ftp-master.debian.org/changelogs/main/m/mysql-5.5/mysql-5.5_5.5.59-0+deb8u1_changelog> for a list of fixed CVEs.
Comment 5 Arvid Requate univentionstaff 2018-04-18 13:30:27 CEST
57ae567b5e | Typo

Verified
Comment 6 Arvid Requate univentionstaff 2018-04-18 14:15:56 CEST
<http://errata.software-univention.de/ucs/4.2/339.html>