ID

VAR-201504-0166

CVE

CVE-2015-0501

TITLE

Oracle MySQL Server Server:Compiling Subcomponent Denial of Service Vulnerability

DESCRIPTION

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'Server : Compiling' sub component is affected. This vulnerability affects the following supported versions: 5.5.42 and earlier, 5.6.23 and earlier. The database system has the characteristics of high performance, low cost and good reliability. A remote attacker can exploit this vulnerability to cause a denial of service and affect data availability. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201507-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MySQL: Multiple vulnerabilities Date: July 10, 2015 Bugs: #546722 ID: 201507-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in MySQL, allowing attackers to execute arbitrary code or cause Denial of Service. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/mysql < 5.6.24 *>= 5.5.43 >= 5.6.24 Description =========== Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the application or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All MySQL 5.5.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.43" All MySQL 5.6.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.24" References ========== [ 1 ] CVE-2015-0405 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0405 [ 2 ] CVE-2015-0423 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0423 [ 3 ] CVE-2015-0433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0433 [ 4 ] CVE-2015-0438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0438 [ 5 ] CVE-2015-0439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0439 [ 6 ] CVE-2015-0441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0441 [ 7 ] CVE-2015-0498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0498 [ 8 ] CVE-2015-0499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0499 [ 9 ] CVE-2015-0500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0500 [ 10 ] CVE-2015-0501 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0501 [ 11 ] CVE-2015-0503 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0503 [ 12 ] CVE-2015-0505 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0505 [ 13 ] CVE-2015-0506 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0506 [ 14 ] CVE-2015-0507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0507 [ 15 ] CVE-2015-0508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0508 [ 16 ] CVE-2015-0511 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0511 [ 17 ] CVE-2015-2566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2566 [ 18 ] CVE-2015-2567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2567 [ 19 ] CVE-2015-2568 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2568 [ 20 ] CVE-2015-2571 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2571 [ 21 ] CVE-2015-2573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2573 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201507-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ============================================================================ Ubuntu Security Notice USN-2575-1 April 21, 2015 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-42.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: mysql-server-5.5 5.5.43-0ubuntu0.14.10.1 Ubuntu 14.04 LTS: mysql-server-5.5 5.5.43-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.43-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 3. 5 client): Source: mysql55-mysql-5.5.45-1.el5.src.rpm i386: mysql55-mysql-5.5.45-1.el5.i386.rpm mysql55-mysql-bench-5.5.45-1.el5.i386.rpm mysql55-mysql-debuginfo-5.5.45-1.el5.i386.rpm mysql55-mysql-libs-5.5.45-1.el5.i386.rpm mysql55-mysql-server-5.5.45-1.el5.i386.rpm mysql55-mysql-test-5.5.45-1.el5.i386.rpm x86_64: mysql55-mysql-5.5.45-1.el5.x86_64.rpm mysql55-mysql-bench-5.5.45-1.el5.x86_64.rpm mysql55-mysql-debuginfo-5.5.45-1.el5.x86_64.rpm mysql55-mysql-libs-5.5.45-1.el5.x86_64.rpm mysql55-mysql-server-5.5.45-1.el5.x86_64.rpm mysql55-mysql-test-5.5.45-1.el5.x86_64.rpm RHEL Desktop Workstation (v. The verification of md5 checksums and GPG signatures is performed automatically for you. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.43-i486-1_slack14.1.txz: Upgraded. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0433 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0441 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0499 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.43-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.43-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-10.0.18-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-10.0.18-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.1 package: 17905b4257617eb8b1dc8dd128959b02 mariadb-5.5.43-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 89560390c29526d793ccbbf18807c09f mariadb-5.5.43-x86_64-1_slack14.1.txz Slackware -current package: 6ff4004dedd522fcd7de14a7b4d8f3be ap/mariadb-10.0.18-i586-1.txz Slackware x86_64 -current package: 91b13958f3ab6bc8fe2b89d2b06d98dd ap/mariadb-10.0.18-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg mariadb-5.5.43-i486-1_slack14.1.txz Then, restart the database server: # sh /etc/rc.d/rc.mysqld restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mariadb55-mariadb security update Advisory ID: RHSA-2015:1647-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1647.html Issue date: 2015-08-20 CVE Names: CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-3152 CVE-2015-4737 CVE-2015-4752 CVE-2015-4757 ===================================================================== 1. Summary: Updated mariadb55-mariadb packages that fix several security issues are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. It was found that the MySQL client library permitted but did not require a client to use SSL/TLS when establishing a secure connection to a MySQL server using the "--ssl" option. A man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2015-3152) This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2015-0501, CVE-2015-2568, CVE-2015-0499, CVE-2015-2571, CVE-2015-0433, CVE-2015-0441, CVE-2015-0505, CVE-2015-2573, CVE-2015-2582, CVE-2015-2620, CVE-2015-2643, CVE-2015-2648, CVE-2015-4737, CVE-2015-4752, CVE-2015-4757) These updated packages upgrade MariaDB to version 5.5.44. Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. All MariaDB users should upgrade to these updated packages, which correct these issues. After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1212758 - CVE-2015-0501 mysql: unspecified vulnerability related to Server:Compiling (CPU April 2015) 1212763 - CVE-2015-2568 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU April 2015) 1212768 - CVE-2015-0499 mysql: unspecified vulnerability related to Server:Federated (CPU April 2015) 1212772 - CVE-2015-2571 mysql: unspecified vulnerability related to Server:Optimizer (CPU April 2015) 1212776 - CVE-2015-0433 mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU April 2015) 1212777 - CVE-2015-0441 mysql: unspecified vulnerability related to Server:Security:Encryption (CPU April 2015) 1212780 - CVE-2015-0505 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015) 1212783 - CVE-2015-2573 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015) 1217506 - CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM) 1244768 - CVE-2015-2582 mysql: unspecified vulnerability related to Server:GIS (CPU July 2015) 1244771 - CVE-2015-2620 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU July 2015) 1244774 - CVE-2015-2643 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015) 1244775 - CVE-2015-2648 mysql: unspecified vulnerability related to Server:DML (CPU July 2015) 1244778 - CVE-2015-4737 mysql: unspecified vulnerability related to Server:Pluggable Auth (CPU July 2015) 1244779 - CVE-2015-4752 mysql: unspecified vulnerability related to Server:I_S (CPU July 2015) 1244781 - CVE-2015-4757 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015) 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: mariadb55-mariadb-5.5.44-1.el6.src.rpm x86_64: mariadb55-mariadb-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-bench-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-devel-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-libs-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-server-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-test-5.5.44-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5): Source: mariadb55-mariadb-5.5.44-1.el6.src.rpm x86_64: mariadb55-mariadb-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-bench-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-devel-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-libs-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-server-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-test-5.5.44-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: mariadb55-mariadb-5.5.44-1.el6.src.rpm x86_64: mariadb55-mariadb-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-bench-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-devel-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-libs-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-server-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-test-5.5.44-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: mariadb55-mariadb-5.5.44-1.el6.src.rpm x86_64: mariadb55-mariadb-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-bench-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-devel-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-libs-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-server-5.5.44-1.el6.x86_64.rpm mariadb55-mariadb-test-5.5.44-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: mariadb55-mariadb-5.5.44-1.el7.src.rpm x86_64: mariadb55-mariadb-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-bench-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-devel-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-libs-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-server-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-test-5.5.44-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: mariadb55-mariadb-5.5.44-1.el7.src.rpm x86_64: mariadb55-mariadb-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-bench-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-devel-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-libs-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-server-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-test-5.5.44-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: mariadb55-mariadb-5.5.44-1.el7.src.rpm x86_64: mariadb55-mariadb-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-bench-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-devel-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-libs-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-server-5.5.44-1.el7.x86_64.rpm mariadb55-mariadb-test-5.5.44-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-0433 https://access.redhat.com/security/cve/CVE-2015-0441 https://access.redhat.com/security/cve/CVE-2015-0499 https://access.redhat.com/security/cve/CVE-2015-0501 https://access.redhat.com/security/cve/CVE-2015-0505 https://access.redhat.com/security/cve/CVE-2015-2568 https://access.redhat.com/security/cve/CVE-2015-2571 https://access.redhat.com/security/cve/CVE-2015-2573 https://access.redhat.com/security/cve/CVE-2015-2582 https://access.redhat.com/security/cve/CVE-2015-2620 https://access.redhat.com/security/cve/CVE-2015-2643 https://access.redhat.com/security/cve/CVE-2015-2648 https://access.redhat.com/security/cve/CVE-2015-3152 https://access.redhat.com/security/cve/CVE-2015-4737 https://access.redhat.com/security/cve/CVE-2015-4752 https://access.redhat.com/security/cve/CVE-2015-4757 https://access.redhat.com/security/updates/classification/#moderate http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL https://mariadb.com/kb/en/mariadb/mariadb-5544-release-notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV1ZuWXlSAg2UNWIIRAp7oAJ9wnlqK62pAVkcjAYyIc52rAMg20gCcD8Jj Uaj+QJE4oDvI6BEK64IyZGM= =VrDe -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . For the upcoming stable distribution (jessie), these problems will be fixed in version 5.5.43-0+deb8u1

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Unknown

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Oracle

SOURCES

LAST UPDATE DATE

2024-11-13T20:47:19.198000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE