Bug 873896

Summary: VUL-0: mysql: multiple security issues (2014/04)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Roman Drahtmueller <draht>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: tristan.ye, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:57533
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2014-04-16 09:33:41 UTC

Appendix - Oracle MySQL

CVE-2014-2444 - InnoDB - 5.6.15 and earlier
CVE-2014-2436 - RBR - 5.5.36 and earlier, 5.6.16 and earlier
CVE-2014-2440 - Client - 5.5.36 and earlier, 5.6.16 and earlier
CVE-2014-2434 - DML - 5.6.15 and earlier
CVE-2014-2435 - InnoDB - 5.6.16 and earlier
CVE-2014-2442 - MyISAM - 5.6.15 and earlier
CVE-2014-2450 - Optimizer - 5.6.15 and earlier
CVE-2014-2419 - Partition - 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-0384 - XML - 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-2430 - Performance Schema - 5.5.36 and earlier, 5.6.16 and earlier
CVE-2014-2451 - Privileges - 5.6.15 and earlier
CVE-2014-2438 - Replication - 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-2432 - Federated - 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-2431 - Options - 5.5.36 and earlier, 5.6.16 and earlier
Comment 2 Swamp Workflow Management 2014-04-16 22:00:29 UTC
bugbot adjusting priority
Comment 3 Roman Drahtmueller 2014-04-26 12:36:20 UTC
Seems there is no option other than a version update to the latest 5.5.37.
The lack of information is frustrating to say the least.
Normally, this is not a viable way to treat our users - just without any
background information whatsoever, with no detailed list of changes, with no
association between CVE ID and source change.
Comment 4 Roman Drahtmueller 2014-04-26 13:22:28 UTC
Oracle confirmed that all of the above 14 CVE IDs are fixed in version 5.5.37.
Comment 5 Swamp Workflow Management 2014-05-09 09:41:16 UTC
The SWAMPID for this issue is 57284.
This issue was rated as important.
Please submit fixed packages until 2014-05-16.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 8 Swamp Workflow Management 2014-06-06 18:52:12 UTC
Update released for: libmysql55client18, libmysql55client18-32bit, libmysql55client18-64bit, libmysql55client18-x86, libmysql55client_r18, libmysql55client_r18-32bit, libmysql55client_r18-64bit, libmysql55client_r18-x86, libmysqlclient-devel, libmysqlclient15, libmysqlclient15-32bit, libmysqlclient15-64bit, libmysqlclient15-x86, libmysqlclient_r15, libmysqlclient_r15-32bit, libmysqlclient_r15-64bit, libmysqlclient_r15-x86, mysql, mysql-Max, mysql-bench, mysql-client, mysql-debug, mysql-debug-version, mysql-debuginfo, mysql-debugsource, mysql-test, mysql-tools
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 9 Swamp Workflow Management 2014-06-06 22:04:39 UTC
SUSE-SU-2014:0769-1: An update that fixes 33 vulnerabilities is now available.

Category: security (important)
Bug References: 858823,861493,873896
CVE References: CVE-2013-4316,CVE-2013-5860,CVE-2013-5881,CVE-2013-5882,CVE-2013-5891,CVE-2013-5894,CVE-2013-5908,CVE-2014-0001,CVE-2014-0384,CVE-2014-0386,CVE-2014-0393,CVE-2014-0401,CVE-2014-0402,CVE-2014-0412,CVE-2014-0420,CVE-2014-0427,CVE-2014-0430,CVE-2014-0431,CVE-2014-0433,CVE-2014-0437,CVE-2014-2419,CVE-2014-2430,CVE-2014-2431,CVE-2014-2432,CVE-2014-2434,CVE-2014-2435,CVE-2014-2436,CVE-2014-2438,CVE-2014-2440,CVE-2014-2442,CVE-2014-2444,CVE-2014-2450,CVE-2014-2451
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    mysql-5.0.96-0.6.11, mysql-5.5.37-0.7.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    mysql-5.0.96-0.6.11, mysql-5.5.37-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    mysql-5.0.96-0.6.11, mysql-5.5.37-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    mysql-5.0.96-0.6.11, mysql-5.5.37-0.7.1
Comment 11 Tristan Ye 2016-02-05 03:50:55 UTC
Guys, can SLES 11SP1 also be affected by this issue?