957174 – (CVE-2015-5969) VUL-0: CVE-2015-5969: mariadb, mysql: Information leak via mysql-systemd-helper

Bug 957174 (CVE-2015-5969) - VUL-0: CVE-2015-5969: mariadb, mysql: Information leak via mysql-systemd-helper

Summary: VUL-0: CVE-2015-5969: mariadb, mysql: Information leak via mysql-systemd-helper

Status:	RESOLVED FIXED

Alias:	CVE-2015-5969

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2015-5969:1.5:(AV:L/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-11-30 14:50 UTC by Johannes Segitz
Modified:	2023-12-29 12:30 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
systemd-helper.patch (1.13 KB, patch) 2015-12-01 14:55 UTC, Tomáš Chvátal	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-11-30 14:50:08 UTC

In our systemd unit files we use mysql-systemd-helper, which calls
my_print_defaults. The output is used to start the service. If the
configuration contains sensitive information it might be exposed 
because they're used as command line arguments.

Example:
[mysqld]
wsrep_sst_auth=user:password

causes --wsrep_sst_auth=user:password to be visible in the process list.

Comment 2 Marcus Rückert 2015-11-30 14:57:39 UTC

TBH I dont understand why we not just pass the path to the path to the config file to the binary, but convert all options to commandline arguments.

Comment 3 Swamp Workflow Management 2015-11-30 23:01:46 UTC

bugbot adjusting priority

Comment 5 Marcus Meissner 2015-12-01 10:43:59 UTC

I have assigned CVE-2015-5969 from our CVE pool.

Comment 8 Tomáš Chvátal 2015-12-01 14:55:49 UTC

Created attachment 657937 [details]
systemd-helper.patch

Patch fixing the problem by passing the full confing. Done and tested with Kristyna here :)

Comment 9 Marcus Rückert 2015-12-01 15:07:50 UTC

Comment on attachment 657937 [details]
systemd-helper.patch

that patch looks like something i will like.

Comment 10 SMASH SMASH 2015-12-12 12:14:02 UTC

An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 18, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121114/.

Comment 18 Swamp Workflow Management 2016-02-01 14:12:23 UTC

SUSE-SU-2016:0296-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 937787,957174,958789
CVE References: CVE-2015-4792,CVE-2015-4802,CVE-2015-4807,CVE-2015-4815,CVE-2015-4826,CVE-2015-4830,CVE-2015-4836,CVE-2015-4858,CVE-2015-4861,CVE-2015-4870,CVE-2015-4913,CVE-2015-5969
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    mariadb-10.0.22-3.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mariadb-10.0.22-3.1
SUSE Linux Enterprise Server 12-SP1 (src):    mariadb-10.0.22-3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    mariadb-10.0.22-3.1

Comment 19 Kristyna Streitova 2016-02-03 10:51:04 UTC

Requests for openSUSE:

|    Product    | Package |   Request    |
|---------------|---------|--------------|
| Factory       | mysql   | #357500      |
| Factory       | mariadb | #357497      |
| openSUSE 13.2 | mysql   | #357511      |
| openSUSE 13.2 | mariadb | #357509      |
| openSUSE Leap | mysql   | #357511      |
| openSUSE Leap | mariadb | via SLE12SP1 |


All done, reassigning to security-team.

Comment 20 Bernhard Wiedemann 2016-02-03 11:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (957174) was mentioned in
https://build.opensuse.org/request/show/357509 13.2 / mariadb
https://build.opensuse.org/request/show/357511 42.1+13.2 / mysql-community-server

Comment 21 Swamp Workflow Management 2016-02-07 19:14:39 UTC

openSUSE-SU-2016:0367-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 957174,959724,962779
CVE References: CVE-2015-5969,CVE-2015-7744,CVE-2016-0502,CVE-2016-0503,CVE-2016-0504,CVE-2016-0505,CVE-2016-0546,CVE-2016-0594,CVE-2016-0595,CVE-2016-0596,CVE-2016-0597,CVE-2016-0598,CVE-2016-0600,CVE-2016-0605,CVE-2016-0606,CVE-2016-0607,CVE-2016-0608,CVE-2016-0609,CVE-2016-0610,CVE-2016-0611
Sources used:
openSUSE Leap 42.1 (src):    mysql-community-server-5.6.28-13.1
openSUSE 13.2 (src):    mysql-community-server-5.6.28-2.17.1

Comment 22 Swamp Workflow Management 2016-02-07 19:15:49 UTC

openSUSE-SU-2016:0368-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 937787,957174,958789
CVE References: CVE-2015-4792,CVE-2015-4802,CVE-2015-4807,CVE-2015-4815,CVE-2015-4826,CVE-2015-4830,CVE-2015-4836,CVE-2015-4858,CVE-2015-4861,CVE-2015-4870,CVE-2015-4913,CVE-2015-5969
Sources used:
openSUSE Leap 42.1 (src):    mariadb-10.0.22-3.1

Comment 23 Andreas Stieger 2016-02-08 10:15:37 UTC

Make public, updates released

Comment 24 Swamp Workflow Management 2016-02-08 14:11:36 UTC

openSUSE-SU-2016:0379-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 957174
CVE References: CVE-2015-5969
Sources used:
openSUSE 13.2 (src):    mariadb-10.0.22-2.21.2

Comment 25 Maintenance Automation 2023-10-04 08:33:54 UTC

SUSE-RU-2023:3956-1: An update that solves 221 vulnerabilities and contains three features can now be installed.

Category: recommended (moderate)
Bug References: 1001367, 1005555, 1005558, 1005562, 1005564, 1005566, 1005569, 1005581, 1005582, 1006539, 1008253, 1012075, 1013882, 1019948, 1020873, 1020875, 1020877, 1020878, 1020882, 1020884, 1020885, 1020890, 1020891, 1020894, 1020896, 1020976, 1022428, 1038740, 1039034, 1041525, 1041891, 1042632, 1043328, 1047218, 1055165, 1055268, 1058374, 1058729, 1060110, 1062583, 1067443, 1068906, 1069401, 1080891, 1083087, 1088681, 1092544, 1098683, 1101676, 1101677, 1101678, 1103342, 1111858, 1111859, 1112368, 1112377, 1112384, 1112386, 1112391, 1112397, 1112404, 1112415, 1112417, 1112421, 1112432, 1112767, 1116686, 1118754, 1120041, 1122198, 1122475, 1127027, 1132666, 1136035, 1142909, 1143215, 1144314, 1156669, 1160285, 1160868, 1160878, 1160883, 1160895, 1160912, 1166781, 1168380, 1170204, 1173028, 1173516, 1174559, 1175596, 1177472, 1178428, 1180014, 1182218, 1182255, 1182739, 1183770, 1185870, 1185872, 1186031, 1189320, 1192497, 1195325, 1195334, 1195339, 1196016, 1197459, 1198603, 1198604, 1198605, 1198606, 1198607, 1198609, 1198610, 1198611, 1198612, 1198613, 1198628, 1198629, 1198630, 1198631, 1198632, 1198633, 1198634, 1198635, 1198636, 1198637, 1198638, 1198639, 1198640, 1199928, 1200105, 1201161, 1201163, 1201164, 1201165, 1201166, 1201167, 1201168, 1201169, 1201170, 1202863, 332530, 353120, 357634, 359522, 366820, 371000, 387746, 420313, 425079, 427384, 429618, 435519, 437293, 463586, 520876, 525065, 525325, 539243, 539249, 557669, 635645, 747811, 763150, 779476, 789263, 792444, 796164, 829430, 841709, 859345, 889126, 894479, 902396, 914370, 921955, 934789, 937754, 937767, 937787, 942908, 943096, 957174, 963810, 971456, 979524, 983938, 984858, 986251, 989913, 989919, 989922, 989926, 990890, 998309
CVE References: CVE-2006-0903, CVE-2006-4226, CVE-2006-4227, CVE-2007-5969, CVE-2007-5970, CVE-2007-6303, CVE-2007-6304, CVE-2008-2079, CVE-2008-7247, CVE-2009-4019, CVE-2009-4028, CVE-2009-4030, CVE-2012-4414, CVE-2012-5611, CVE-2012-5612, CVE-2012-5615, CVE-2012-5627, CVE-2013-1976, CVE-2015-4792, CVE-2015-4802, CVE-2015-4807, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4895, CVE-2015-4913, CVE-2015-5969, CVE-2015-7744, CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0610, CVE-2016-0616, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0644, CVE-2016-0646, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0668, CVE-2016-2047, CVE-2016-3477, CVE-2016-3492, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440, CVE-2016-5584, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-6662, CVE-2016-6663, CVE-2016-6664, CVE-2016-7440, CVE-2016-8283, CVE-2016-9843, CVE-2017-10268, CVE-2017-10286, CVE-2017-10320, CVE-2017-10365, CVE-2017-10378, CVE-2017-10379, CVE-2017-10384, CVE-2017-15365, CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3265, CVE-2017-3291, CVE-2017-3302, CVE-2017-3308, CVE-2017-3309, CVE-2017-3312, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464, CVE-2017-3636, CVE-2017-3641, CVE-2017-3653, CVE-2018-25032, CVE-2018-2562, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668, CVE-2018-2755, CVE-2018-2759, CVE-2018-2761, CVE-2018-2766, CVE-2018-2767, CVE-2018-2771, CVE-2018-2777, CVE-2018-2781, CVE-2018-2782, CVE-2018-2784, CVE-2018-2786, CVE-2018-2787, CVE-2018-2810, CVE-2018-2813, CVE-2018-2817, CVE-2018-2819, CVE-2018-3058, CVE-2018-3060, CVE-2018-3063, CVE-2018-3064, CVE-2018-3066, CVE-2018-3143, CVE-2018-3156, CVE-2018-3162, CVE-2018-3173, CVE-2018-3174, CVE-2018-3185, CVE-2018-3200, CVE-2018-3251, CVE-2018-3277, CVE-2018-3282, CVE-2018-3284, CVE-2019-18901, CVE-2019-2510, CVE-2019-2537, CVE-2019-2614, CVE-2019-2627, CVE-2019-2628, CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2938, CVE-2019-2974, CVE-2020-13249, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789, CVE-2020-14812, CVE-2020-15180, CVE-2020-2574, CVE-2020-2752, CVE-2020-2760, CVE-2020-2812, CVE-2020-2814, CVE-2020-7221, CVE-2021-2154, CVE-2021-2166, CVE-2021-2372, CVE-2021-2389, CVE-2021-27928, CVE-2021-35604, CVE-2021-46657, CVE-2021-46658, CVE-2021-46659, CVE-2021-46661, CVE-2021-46663, CVE-2021-46664, CVE-2021-46665, CVE-2021-46668, CVE-2021-46669, CVE-2022-21427, CVE-2022-21595, CVE-2022-24048, CVE-2022-24050, CVE-2022-24051, CVE-2022-24052, CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27386, CVE-2022-27387, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, CVE-2022-27458, CVE-2022-32081, CVE-2022-32083, CVE-2022-32084, CVE-2022-32085, CVE-2022-32086, CVE-2022-32087, CVE-2022-32088, CVE-2022-32089, CVE-2022-32091, CVE-2022-38791, CVE-2022-47015
Jira References: PED-2455, SLE-12253, SLE-8269
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): mariadb104-10.4.30-150100.3.5.10, python-mysqlclient-1.4.6-150100.3.3.7
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): mariadb104-10.4.30-150100.3.5.10, python-mysqlclient-1.4.6-150100.3.3.7
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): mariadb104-10.4.30-150100.3.5.10, python-mysqlclient-1.4.6-150100.3.3.7
SUSE CaaS Platform 4.0 (src): mariadb104-10.4.30-150100.3.5.10, python-mysqlclient-1.4.6-150100.3.3.7

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Maintenance Automation 2023-12-29 12:30:34 UTC

SUSE-RU-2023:4991-1: An update that solves 221 vulnerabilities and contains three features can now be installed.

Category: recommended (moderate)
Bug References: 1001367, 1005555, 1005558, 1005562, 1005564, 1005566, 1005569, 1005581, 1005582, 1006539, 1008253, 1012075, 1013882, 1019948, 1020873, 1020875, 1020877, 1020878, 1020882, 1020884, 1020885, 1020890, 1020891, 1020894, 1020896, 1020976, 1022428, 1038740, 1039034, 1041525, 1041891, 1042632, 1043328, 1047218, 1055165, 1055268, 1058374, 1058729, 1060110, 1062583, 1067443, 1068906, 1069401, 1080891, 1083087, 1088681, 1092544, 1098683, 1101676, 1101677, 1101678, 1103342, 1111858, 1111859, 1112368, 1112377, 1112384, 1112386, 1112391, 1112397, 1112404, 1112415, 1112417, 1112421, 1112432, 1112767, 1116686, 1118754, 1120041, 1122198, 1122475, 1127027, 1132666, 1136035, 1142909, 1143215, 1144314, 1156669, 1160285, 1160868, 1160878, 1160883, 1160895, 1160912, 1166781, 1168380, 1170204, 1173028, 1173516, 1174559, 1175596, 1177472, 1178428, 1180014, 1182218, 1182255, 1182739, 1183770, 1185870, 1185872, 1186031, 1189320, 1192497, 1195325, 1195334, 1195339, 1196016, 1197459, 1198603, 1198604, 1198605, 1198606, 1198607, 1198609, 1198610, 1198611, 1198612, 1198613, 1198628, 1198629, 1198630, 1198631, 1198632, 1198633, 1198634, 1198635, 1198636, 1198637, 1198638, 1198639, 1198640, 1199928, 1200105, 1201161, 1201163, 1201164, 1201165, 1201166, 1201167, 1201168, 1201169, 1201170, 1202863, 332530, 353120, 357634, 359522, 366820, 371000, 387746, 420313, 425079, 427384, 429618, 435519, 437293, 463586, 520876, 525065, 525325, 539243, 539249, 557669, 635645, 747811, 763150, 779476, 789263, 792444, 796164, 829430, 841709, 859345, 889126, 894479, 902396, 914370, 921955, 934789, 937754, 937767, 937787, 942908, 943096, 957174, 963810, 971456, 979524, 983938, 984858, 986251, 989913, 989919, 989922, 989926, 990890, 998309
CVE References: CVE-2006-0903, CVE-2006-4226, CVE-2006-4227, CVE-2007-5969, CVE-2007-5970, CVE-2007-6303, CVE-2007-6304, CVE-2008-2079, CVE-2008-7247, CVE-2009-4019, CVE-2009-4028, CVE-2009-4030, CVE-2012-4414, CVE-2012-5611, CVE-2012-5612, CVE-2012-5615, CVE-2012-5627, CVE-2013-1976, CVE-2015-4792, CVE-2015-4802, CVE-2015-4807, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4895, CVE-2015-4913, CVE-2015-5969, CVE-2015-7744, CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0610, CVE-2016-0616, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0644, CVE-2016-0646, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0668, CVE-2016-2047, CVE-2016-3477, CVE-2016-3492, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440, CVE-2016-5584, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-6662, CVE-2016-6663, CVE-2016-6664, CVE-2016-7440, CVE-2016-8283, CVE-2016-9843, CVE-2017-10268, CVE-2017-10286, CVE-2017-10320, CVE-2017-10365, CVE-2017-10378, CVE-2017-10379, CVE-2017-10384, CVE-2017-15365, CVE-2017-3238, CVE-2017-3243, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3265, CVE-2017-3291, CVE-2017-3302, CVE-2017-3308, CVE-2017-3309, CVE-2017-3312, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3453, CVE-2017-3456, CVE-2017-3464, CVE-2017-3636, CVE-2017-3641, CVE-2017-3653, CVE-2018-25032, CVE-2018-2562, CVE-2018-2612, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668, CVE-2018-2755, CVE-2018-2759, CVE-2018-2761, CVE-2018-2766, CVE-2018-2767, CVE-2018-2771, CVE-2018-2777, CVE-2018-2781, CVE-2018-2782, CVE-2018-2784, CVE-2018-2786, CVE-2018-2787, CVE-2018-2810, CVE-2018-2813, CVE-2018-2817, CVE-2018-2819, CVE-2018-3058, CVE-2018-3060, CVE-2018-3063, CVE-2018-3064, CVE-2018-3066, CVE-2018-3143, CVE-2018-3156, CVE-2018-3162, CVE-2018-3173, CVE-2018-3174, CVE-2018-3185, CVE-2018-3200, CVE-2018-3251, CVE-2018-3277, CVE-2018-3282, CVE-2018-3284, CVE-2019-18901, CVE-2019-2510, CVE-2019-2537, CVE-2019-2614, CVE-2019-2627, CVE-2019-2628, CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2938, CVE-2019-2974, CVE-2020-13249, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789, CVE-2020-14812, CVE-2020-15180, CVE-2020-2574, CVE-2020-2752, CVE-2020-2760, CVE-2020-2812, CVE-2020-2814, CVE-2020-7221, CVE-2021-2154, CVE-2021-2166, CVE-2021-2372, CVE-2021-2389, CVE-2021-27928, CVE-2021-35604, CVE-2021-46657, CVE-2021-46658, CVE-2021-46659, CVE-2021-46661, CVE-2021-46663, CVE-2021-46664, CVE-2021-46665, CVE-2021-46668, CVE-2021-46669, CVE-2022-21427, CVE-2022-21595, CVE-2022-24048, CVE-2022-24050, CVE-2022-24051, CVE-2022-24052, CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27386, CVE-2022-27387, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, CVE-2022-27458, CVE-2022-32081, CVE-2022-32083, CVE-2022-32084, CVE-2022-32085, CVE-2022-32086, CVE-2022-32087, CVE-2022-32088, CVE-2022-32089, CVE-2022-32091, CVE-2022-38791, CVE-2022-47015
Jira References: PED-2455, SLE-12253, SLE-8269
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): mariadb-connector-c-3.1.22-2.35.1, lz4-1.8.0-3.5.2, python-mysqlclient-1.3.14-8.9.2, mariadb104-10.4.30-8.5.46
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): mariadb-connector-c-3.1.22-2.35.1, lz4-1.8.0-3.5.2, python-mysqlclient-1.3.14-8.9.2, mariadb104-10.4.30-8.5.46
SUSE Linux Enterprise Server 12 SP5 (src): mariadb-connector-c-3.1.22-2.35.1, lz4-1.8.0-3.5.2, python-mysqlclient-1.3.14-8.9.2, mariadb104-10.4.30-8.5.46
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): mariadb-connector-c-3.1.22-2.35.1, lz4-1.8.0-3.5.2, python-mysqlclient-1.3.14-8.9.2, mariadb104-10.4.30-8.5.46

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.