Univention Bugzilla – Bug 50139
mariadb-10.1: Multiple issues (4.4)
Last modified: 2019-09-11 15:25:34 CEST
New Debian mariadb-10.1 10.1.41-0+deb9u1 fixes: This update addresses the following issues: * Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2614) * Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2627) * Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2737) * Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2019-2739) * Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2740) * Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2805)
--- mirror/ftp/4.4/unmaintained/4.4-1/source/mariadb-10.1_10.1.38-0+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-1/source/mariadb-10.1_10.1.41-0+deb9u1.dsc @@ -1,3 +1,19 @@ +10.1.41-0+deb9u1 [Fri, 02 Aug 2019 18:10:23 +0100] Otto Kekäläinen <otto@debian.org>: + + * SECURITY UPDATE: New upstream version 10.1.41. Includes fixes for the + following security vulnerabilities: + - CVE-2019-2737 + - CVE-2019-2739 + - CVE-2019-2740 + - CVE-2019-2805 + * Previous release 10.1.39 + includes fixes for the following security vulnerabilities: + - CVE-2019-2627 + - CVE-2019-2614 + * Amend previous changelog entries to include newly released CVE numbers. + * Gitlab-CI: Sync latest version from Debian Sid but with Stretch adaptions + * Uses respolveip from correct path as per upstream fix (Closes: #928758) + 10.1.38-0+deb9u1 [Tue, 16 Apr 2019 14:56:50 +0300] Otto Kekäläinen <otto@debian.org>: * SECURITY UPDATE: New upstream release 10.1.38. Includes fixes for <http://10.200.17.11/4.4-1/#2598165946144244767>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts unclean upstream [4.4-1] 1e7283a81b Bug #50139: mariadb-10.1 10.1.41-0+deb9u1 doc/errata/staging/mariadb-10.1.yaml | 83 +++++++++++++----------------------- 1 file changed, 29 insertions(+), 54 deletions(-) [4.4-1] c9acc161c8 Bug #50139: mariadb-10.1 10.1.41-0+deb9u1 doc/errata/staging/mariadb-10.1.yaml | 72 ++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+)
<http://errata.software-univention.de/ucs/4.4/267.html>