Full Disclosure mailing list archives
[ GLSA 201201-02 ] MySQL: Multiple vulnerabilities
From: Tim Sammut <underling () gentoo org>
Date: Thu, 05 Jan 2012 15:08:46 -0800
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MySQL: Multiple vulnerabilities Date: January 05, 2012 Bugs: #220813, #229329, #237166, #238117, #240407, #277717, #294187, #303747, #319489, #321791, #339717, #344987, #351413 ID: 201201-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in MySQL, some of which may allow execution of arbitrary code. Background ========== MySQL is a popular open-source multi-threaded, multi-user SQL database server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/mysql < 5.1.56 >= 5.1.56 Description =========== Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact ====== An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the MySQL process, cause a Denial of Service condition, bypass security restrictions, uninstall arbitrary MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.1.56" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 14, 2011. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2008-3963 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3963 [ 2 ] CVE-2008-4097 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4097 [ 3 ] CVE-2008-4098 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4098 [ 4 ] CVE-2008-4456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456 [ 5 ] CVE-2008-7247 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7247 [ 6 ] CVE-2009-2446 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446 [ 7 ] CVE-2009-4019 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4019 [ 8 ] CVE-2009-4028 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4028 [ 9 ] CVE-2009-4484 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4484 [ 10 ] CVE-2010-1621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621 [ 11 ] CVE-2010-1626 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626 [ 12 ] CVE-2010-1848 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848 [ 13 ] CVE-2010-1849 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849 [ 14 ] CVE-2010-1850 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850 [ 15 ] CVE-2010-2008 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008 [ 16 ] CVE-2010-3676 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676 [ 17 ] CVE-2010-3677 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677 [ 18 ] CVE-2010-3678 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678 [ 19 ] CVE-2010-3679 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679 [ 20 ] CVE-2010-3680 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680 [ 21 ] CVE-2010-3681 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681 [ 22 ] CVE-2010-3682 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682 [ 23 ] CVE-2010-3683 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683 [ 24 ] CVE-2010-3833 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833 [ 25 ] CVE-2010-3834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834 [ 26 ] CVE-2010-3835 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835 [ 27 ] CVE-2010-3836 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836 [ 28 ] CVE-2010-3837 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837 [ 29 ] CVE-2010-3838 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838 [ 30 ] CVE-2010-3839 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839 [ 31 ] CVE-2010-3840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 201201-02 ] MySQL: Multiple vulnerabilities Tim Sammut (Jan 05)