Gentoo Archives: gentoo-announce

From: Sergey Popov <pinkbyte@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201409-04 ] MySQL: Multiple vulnerabilities
Date: Thu, 04 Sep 2014 08:58:41
Message-Id: 54082756.4000306@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201409-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: MySQL: Multiple vulnerabilities
9 Date: September 04, 2014
10 Bugs: #460748, #488212, #498164, #500260, #507802, #518718
11 ID: 201409-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in MySQL, worst of which
19 allows local attackers to escalate their privileges.
20
21 Background
22 ==========
23
24 MySQL is a popular multi-threaded, multi-user SQL server.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 dev-db/mysql < 5.5.39 >= 5.5.39
33
34 Description
35 ===========
36
37 Multiple vulnerabilities have been discovered in MySQL. Please review
38 the CVE identifiers referenced below for details.
39
40 Impact
41 ======
42
43 A local attacker could possibly gain escalated privileges. A remote
44 attacker could send a specially crafted SQL query, possibly resulting
45 in a Denial of Service condition. A remote attacker could entice a user
46 to connect to specially crafted MySQL server, possibly resulting in
47 execution of arbitrary code with the privileges of the process.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All MySQL users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.39"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2013-1861
66 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1861
67 [ 2 ] CVE-2013-2134
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2134
69 [ 3 ] CVE-2013-3839
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3839
71 [ 4 ] CVE-2013-5767
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5767
73 [ 5 ] CVE-2013-5770
74 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5770
75 [ 6 ] CVE-2013-5786
76 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5786
77 [ 7 ] CVE-2013-5793
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5793
79 [ 8 ] CVE-2013-5807
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5807
81 [ 9 ] CVE-2013-5860
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5860
83 [ 10 ] CVE-2013-5881
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5881
85 [ 11 ] CVE-2013-5882
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5882
87 [ 12 ] CVE-2013-5891
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5891
89 [ 13 ] CVE-2013-5894
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5894
91 [ 14 ] CVE-2013-5908
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5908
93 [ 15 ] CVE-2014-0001
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0001
95 [ 16 ] CVE-2014-0384
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0384
97 [ 17 ] CVE-2014-0386
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0386
99 [ 18 ] CVE-2014-0393
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0393
101 [ 19 ] CVE-2014-0401
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0401
103 [ 20 ] CVE-2014-0402
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0402
105 [ 21 ] CVE-2014-0412
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0412
107 [ 22 ] CVE-2014-0420
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0420
109 [ 23 ] CVE-2014-0427
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0427
111 [ 24 ] CVE-2014-0430
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0430
113 [ 25 ] CVE-2014-0431
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0431
115 [ 26 ] CVE-2014-0433
116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0433
117 [ 27 ] CVE-2014-0437
118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0437
119 [ 28 ] CVE-2014-2419
120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2419
121 [ 29 ] CVE-2014-2430
122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2430
123 [ 30 ] CVE-2014-2431
124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2431
125 [ 31 ] CVE-2014-2432
126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2432
127 [ 32 ] CVE-2014-2434
128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2434
129 [ 33 ] CVE-2014-2435
130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2435
131 [ 34 ] CVE-2014-2436
132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2436
133 [ 35 ] CVE-2014-2438
134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2438
135 [ 36 ] CVE-2014-2440
136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2440
137
138 Availability
139 ============
140
141 This GLSA and any updates to it are available for viewing at
142 the Gentoo Security Website:
143
144 http://security.gentoo.org/glsa/glsa-201409-04.xml
145
146 Concerns?
147 =========
148
149 Security is a primary focus of Gentoo Linux and ensuring the
150 confidentiality and security of our users' machines is of utmost
151 importance to us. Any security concerns should be addressed to
152 security@g.o or alternatively, you may file a bug at
153 https://bugs.gentoo.org.
154
155 License
156 =======
157
158 Copyright 2014 Gentoo Foundation, Inc; referenced text
159 belongs to its owner(s).
160
161 The contents of this document are licensed under the
162 Creative Commons - Attribution / Share Alike license.
163
164 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature