Bug 42876 – mysql-5.5: Multiple issues (3.3)

Bug 42876 - mysql-5.5: Multiple issues (3.3)


Summary:	mysql-5.5: Multiple issues (3.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.3-1-errata
Assigned To:	Arvid Requate
QA Contact:	Janek Walkenhorst

URL:	http://www.oracle.com/technetwork/sec...
Keywords:

Depends on:	42875 43380 44516 45094
Blocks:
	Show dependency tree / graph

Reported:	2016-11-08 12:29 CET by Arvid Requate
Modified:	2017-07-28 13:14 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-11-08 12:29:06 CET

+++ This bug was initially created as a clone of Bug #42875 +++

New security vulnerabilities have been discovered in MySQL:

* https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-53.html
* http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL



* Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption. (CVE-2016-5584)

* yaSSL: AES key leak via cache-bank timing side channel attack (CVE-2016-7440)

Comment 1 Arvid Requate

2016-11-16 16:21:30 CET

Fixed in upstream Debian package version 5.5.53-0+deb7u1.

Comment 2 Arvid Requate

2017-01-20 09:49:07 CET

New security vulnerabilities have been discovered in MySQL:

* https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
* http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL

The current version in UCS 4.1-4 may be affected by these:

CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3258
CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3313
CVE-2017-3317 CVE-2017-3318

Comment 3 Arvid Requate

2017-01-25 19:45:57 CET

Fixed upstream in 5.5.54-0+deb7u1.

Comment 4 Arvid Requate

2017-01-25 20:50:55 CET

Imported and built.
Advisory: mysql-5.5.yaml

Comment 5 Arvid Requate

2017-05-02 18:19:15 CEST

Upstream Debian package version 5.5.55-0+deb7u1 fixes these issues:

CVE-2016-5483 CVE-2017-3302 CVE-2017-3305 CVE-2017-3308
CVE-2017-3309 CVE-2017-3329 CVE-2017-3453 CVE-2017-3456
CVE-2017-3461 CVE-2017-3462 CVE-2017-3463 CVE-2017-3464
CVE-2017-3600

Package imported and built. Advisory updated.

Comment 6 Janek Walkenhorst

2017-05-16 18:48:24 CEST

mysql-server-5.5 hängt ab von initscripts (>= 2.88dsf-13.3) [NICHT VERFÜGBAR]

Additionally, could you move the advisory into the "staging" subdirectory?

Comment 7 Janek Walkenhorst

2017-05-16 18:56:19 CEST

(In reply to Janek Walkenhorst from comment #6)
> Additionally, could you move the advisory into the "staging" subdirectory?
That has already happenend.

Comment 8 Arvid Requate

2017-06-26 19:13:38 CEST

Ok, two svn/patches had been dropped in errata3.3-0, I've rebuilt the package with them.

Comment 9 Janek Walkenhorst

2017-07-10 17:38:45 CEST

Advisory: OK
Tests: OK

Comment 10 Janek Walkenhorst

2017-07-20 15:01:07 CEST

<http://errata.software-univention.de/ucs/3.3/42.html>