Bug 771996 – VUL-0: mysql: patch update July 2012

Bug 771996 - VUL-0: mysql: patch update July 2012


Summary:	VUL-0: mysql: patch update July 2012

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Michal Hrusecky
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:	771994
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2012-07-18 08:35 UTC by Sebastian Krahmer
Modified:	2014-03-04 15:56 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2012-07-18 08:35:16 UTC

+++ This bug was initially created as a clone of Bug #771994 +++

This is meant as a tracker bug. Please split off bugs for
particular products (e.g. java, mysql) if necessary.

Reference:

http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

Comment 1 Sebastian Krahmer 2012-07-18 08:36:47 UTC

The following CVE's are mentioned for mysql in the Oracle advisory:

CVE-2012-1735, CVE-2012-0540, CVE-2012-1757, CVE-2012-1756,
CVE-2012-1734, CVE-2012-1689

We need to verify whether these affect us.

Comment 2 Swamp Workflow Management 2012-07-18 22:00:15 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2012-08-14 15:22:45 UTC

Oracle MySQL Risk Matrix

CVE#    Component       Protocol        Sub-
component       Remote Exploit without Auth.?   CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)     Supported Versions Affected     Notes
Base Score      Access Vector   Access Complexity       Authen-
tication        Confiden-
tiality Integrity       Avail-
ability
CVE-2012-1735   MySQL Server    MySQL Protocol  Server Optimizer        No      6.8     Network Low     Single  None    None    Complete        5.5.23 and earlier       
CVE-2012-0540   MySQL Server    MySQL Protocol  GIS Extension   No      4.0     Network Low     Single  None    None    Partial+        5.1.62 and earlier, 5.5.23 and earlier   
CVE-2012-1757   MySQL Server    MySQL Protocol  InnoDB  No      4.0     Network Low     Single  None    None    Partial+        5.5.23 and earlier       
CVE-2012-1756   MySQL Server    MySQL Protocol  Server  No      4.0     Network Low     Single  None    None    Partial+        5.5.23 and earlier       
CVE-2012-1734   MySQL Server    MySQL Protocol  Server Optimizer        No      4.0     Network Low     Single  None    None    Partial+        5.1.62 and earlier, 5.5.23 and earlier   
CVE-2012-1689   MySQL Server    MySQL Protocol  Server Optimizer        No      4.0     Network Low     Single  None    None    Partial+        5.1.62 and earlier, 5.5.22 and earlier

Comment 4 Marcus Meissner 2012-08-14 15:24:05 UTC

remote denial of service post-authentication, highest CVSS Score is 6.8.

Comment 5 Marcus Meissner 2012-08-16 15:55:48 UTC

No mysql 5.0.x issue is listed.

This means SLE is not affected, only openSUSE might be affected.

Comment 9 Matthias Weckbecker 2013-07-01 15:35:06 UTC

CVSS Scorting for the issue(s):

$VAR1 = \{
            'CVE-2012-1757' => '4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P',
            'CVE-2012-1689' => '4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P',
            'CVE-2012-0540' => '4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P',
            'CVE-2012-1734' => '4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P',
            'CVE-2012-1735' => '4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P',
            'CVE-2012-1756' => '4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P'
          };

Comment 10 Marcus Meissner 2014-03-04 15:56:39 UTC

We will not release mysql updates for older products anymore, and SLES 11 SP3
has mysql 5.5 which i assume is fixed.