BugTraq
[ GLSA 201201-02 ] MySQL: Multiple vulnerabilities Jan 05 2012 11:08PM
Tim Sammut (underling gentoo org)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: MySQL: Multiple vulnerabilities
Date: January 05, 2012
Bugs: #220813, #229329, #237166, #238117, #240407, #277717,
#294187, #303747, #319489, #321791, #339717, #344987, #351413
ID: 201201-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in MySQL, some of which may allow
execution of arbitrary code.

Background
==========

MySQL is a popular open-source multi-threaded, multi-user SQL database
server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/mysql < 5.1.56 >= 5.1.56

Description
===========

Multiple vulnerabilities have been discovered in MySQL. Please review
the CVE identifiers referenced below for details.

Impact
======

An unauthenticated remote attacker may be able to execute arbitrary
code with the privileges of the MySQL process, cause a Denial of
Service condition, bypass security restrictions, uninstall arbitrary
MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting
attacks.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MySQL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.1.56"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since May 14, 2011. It is likely that your system is already
no longer affected by this issue.

References
==========

[ 1 ] CVE-2008-3963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3963
[ 2 ] CVE-2008-4097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4097
[ 3 ] CVE-2008-4098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4098
[ 4 ] CVE-2008-4456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456
[ 5 ] CVE-2008-7247
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7247
[ 6 ] CVE-2009-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446
[ 7 ] CVE-2009-4019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4019
[ 8 ] CVE-2009-4028
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4028
[ 9 ] CVE-2009-4484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4484
[ 10 ] CVE-2010-1621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621
[ 11 ] CVE-2010-1626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626
[ 12 ] CVE-2010-1848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848
[ 13 ] CVE-2010-1849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849
[ 14 ] CVE-2010-1850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850
[ 15 ] CVE-2010-2008
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008
[ 16 ] CVE-2010-3676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676
[ 17 ] CVE-2010-3677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677
[ 18 ] CVE-2010-3678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678
[ 19 ] CVE-2010-3679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679
[ 20 ] CVE-2010-3680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680
[ 21 ] CVE-2010-3681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681
[ 22 ] CVE-2010-3682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682
[ 23 ] CVE-2010-3683
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683
[ 24 ] CVE-2010-3833
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833
[ 25 ] CVE-2010-3834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834
[ 26 ] CVE-2010-3835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835
[ 27 ] CVE-2010-3836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836
[ 28 ] CVE-2010-3837
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837
[ 29 ] CVE-2010-3838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838
[ 30 ] CVE-2010-3839
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839
[ 31 ] CVE-2010-3840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201201-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iF4EAREIAAYFAk8GLX4ACgkQFiczYsI3VJODzAD/f/cbpRz0NiTifzta2S44fIfs
dMrQR65Yd9pLJ+Ek7xYA/AgeNaCDjf3CeUdqQ2SjutJ6NshKtU2bHNyuajinzs3h
=MFis
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus