Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Tim Sammut <underling@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201201-02 ] MySQL: Multiple vulnerabilities
Date: Thu, 05 Jan 2012 23:15:01
Message-Id: 4F062D7E.1070408@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201201-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: MySQL: Multiple vulnerabilities
9 Date: January 05, 2012
10 Bugs: #220813, #229329, #237166, #238117, #240407, #277717,
11 #294187, #303747, #319489, #321791, #339717, #344987, #351413
12 ID: 201201-02
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities were found in MySQL, some of which may allow
20 execution of arbitrary code.
21
22 Background
23 ==========
24
25 MySQL is a popular open-source multi-threaded, multi-user SQL database
26 server.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-db/mysql < 5.1.56 >= 5.1.56
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in MySQL. Please review
40 the CVE identifiers referenced below for details.
41
42 Impact
43 ======
44
45 An unauthenticated remote attacker may be able to execute arbitrary
46 code with the privileges of the MySQL process, cause a Denial of
47 Service condition, bypass security restrictions, uninstall arbitrary
48 MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting
49 attacks.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All MySQL users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.1.56"
63
64 NOTE: This is a legacy GLSA. Updates for all affected architectures are
65 available since May 14, 2011. It is likely that your system is already
66 no longer affected by this issue.
67
68 References
69 ==========
70
71 [ 1 ] CVE-2008-3963
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3963
73 [ 2 ] CVE-2008-4097
74 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4097
75 [ 3 ] CVE-2008-4098
76 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4098
77 [ 4 ] CVE-2008-4456
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456
79 [ 5 ] CVE-2008-7247
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7247
81 [ 6 ] CVE-2009-2446
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446
83 [ 7 ] CVE-2009-4019
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4019
85 [ 8 ] CVE-2009-4028
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4028
87 [ 9 ] CVE-2009-4484
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4484
89 [ 10 ] CVE-2010-1621
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621
91 [ 11 ] CVE-2010-1626
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626
93 [ 12 ] CVE-2010-1848
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848
95 [ 13 ] CVE-2010-1849
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849
97 [ 14 ] CVE-2010-1850
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850
99 [ 15 ] CVE-2010-2008
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008
101 [ 16 ] CVE-2010-3676
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676
103 [ 17 ] CVE-2010-3677
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677
105 [ 18 ] CVE-2010-3678
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678
107 [ 19 ] CVE-2010-3679
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679
109 [ 20 ] CVE-2010-3680
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680
111 [ 21 ] CVE-2010-3681
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681
113 [ 22 ] CVE-2010-3682
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682
115 [ 23 ] CVE-2010-3683
116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683
117 [ 24 ] CVE-2010-3833
118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833
119 [ 25 ] CVE-2010-3834
120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834
121 [ 26 ] CVE-2010-3835
122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835
123 [ 27 ] CVE-2010-3836
124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836
125 [ 28 ] CVE-2010-3837
126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837
127 [ 29 ] CVE-2010-3838
128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838
129 [ 30 ] CVE-2010-3839
130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839
131 [ 31 ] CVE-2010-3840
132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840
133
134 Availability
135 ============
136
137 This GLSA and any updates to it are available for viewing at
138 the Gentoo Security Website:
139
140 http://security.gentoo.org/glsa/glsa-201201-02.xml
141
142 Concerns?
143 =========
144
145 Security is a primary focus of Gentoo Linux and ensuring the
146 confidentiality and security of our users' machines is of utmost
147 importance to us. Any security concerns should be addressed to
148 security@g.o or alternatively, you may file a bug at
149 https://bugs.gentoo.org.
150
151 License
152 =======
153
154 Copyright 2012 Gentoo Foundation, Inc; referenced text
155 belongs to its owner(s).
156
157 The contents of this document are licensed under the
158 Creative Commons - Attribution / Share Alike license.
159
160 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups