Debian Bug report logs -
#675872
mysql-server-5.1: CVE-2012-0882 - one more underspecified security problem
Reported by: Arne Wichmann <aw@fva-wg.de>
Date: Sun, 3 Jun 2012 19:36:05 UTC
Severity: important
Found in versions 5.1.63-0+squeeze1, 5.1.61-0+squeeze1
Fixed in version 5.1.62-1+rm
Done: Andreas Beckmann <anbe@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#675872; Package mysql-server-5.1.
(Sun, 03 Jun 2012 19:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Arne Wichmann <aw@fva-wg.de>:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Sun, 03 Jun 2012 19:36:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mysql-server-5.1
Version: 5.1.61-0+squeeze1
Severity: important
Hi. Quoting from the RedHat Bugreport [1]:
CVE-2012-0882: unspecified remote exploit (released with VulnDisco Pack
Professional 9.17).
This is mostly a heads-up as there is not enough information to fix this bug.
See also: [2] [3] [4]
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0882
[2] http://security-tracker.debian.org/tracker/CVE-2012-0882
[3] http://www.openwall.com/lists/oss-security/2012/02/24/3
[4] http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0882.html
cu
AW
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (500, 'stable'), (80, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-042stab049.6 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages mysql-server-5.1 depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [de 1.5.36.1 Debian configuration management sy
ii libc6 2.13-27 Embedded GNU C Library: Shared lib
ii libdbi-perl 1.616-1+b1 Perl Database Interface (DBI)
ii libgcc1 1:4.6.3-1 GCC support library
ii libmysqlcli 5.1.61-0+squeeze1 MySQL database client library
ii libstdc++6 4.6.3-1 GNU Standard C++ Library v3
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii mysql-clien 5.1.61-0+squeeze1 MySQL database client binaries
ii mysql-commo 5.1.61-0+squeeze1 MySQL database common files, e.g.
ii mysql-serve 5.1.61-0+squeeze1 MySQL database server binaries
ii passwd 1:4.1.4.2+svn3283-2+squeeze1 change and administer password and
ii perl 5.12.4-4 Larry Wall's Practical Extraction
ii psmisc 22.11-1 utilities that use the proc file s
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages mysql-server-5.1 recommends:
ii heirloom-mailx [mailx] 12.4-2 feature-rich BSD mail(1)
pn libhtml-template-perl <none> (no description available)
Versions of packages mysql-server-5.1 suggests:
pn tinyca <none> (no description available)
-- debconf information:
mysql-server/error_setting_password:
mysql-server-5.1/start_on_boot: true
mysql-server-5.1/postrm_remove_databases: false
mysql-server-5.1/nis_warning:
mysql-server-5.1/really_downgrade: false
mysql-server/password_mismatch:
mysql-server/no_upgrade_when_using_ndb:
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#675872; Package mysql-server-5.1.
(Sun, 03 Jun 2012 21:28:24 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Sun, 03 Jun 2012 21:28:25 GMT) (full text, mbox, link).
Message #10 received at 675872@bugs.debian.org (full text, mbox, reply):
Arne,
The issue sounds a bit like #674267 though I had not perceived the
latter to be a security issue. The commonality is as follows:
1.) i386 systems only (well the video does not say its i386 only, but
they don't mention anything else).
2.) 5.5.* - the video actually talks about 5.5.20.
3.) yassl rather than openssl
On 03/06/12 19:56, Arne Wichmann wrote:
> Package: mysql-server-5.1
> Version: 5.1.61-0+squeeze1
> Severity: important
>
> Hi. Quoting from the RedHat Bugreport [1]:
>
> CVE-2012-0882: unspecified remote exploit (released with VulnDisco Pack
> Professional 9.17).
>
> This is mostly a heads-up as there is not enough information to fix this bug.
>
> See also: [2] [3] [4]
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0882
> [2] http://security-tracker.debian.org/tracker/CVE-2012-0882
> [3] http://www.openwall.com/lists/oss-security/2012/02/24/3
> [4] http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0882.html
>
> cu
>
> AW
>
> -- System Information:
> Debian Release: 6.0.4
> APT prefers stable
> APT policy: (500, 'stable'), (80, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-042stab049.6 (SMP w/1 CPU core)
> Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages mysql-server-5.1 depends on:
> ii adduser 3.112+nmu2 add and remove users and groups
> ii debconf [de 1.5.36.1 Debian configuration management sy
> ii libc6 2.13-27 Embedded GNU C Library: Shared lib
> ii libdbi-perl 1.616-1+b1 Perl Database Interface (DBI)
> ii libgcc1 1:4.6.3-1 GCC support library
> ii libmysqlcli 5.1.61-0+squeeze1 MySQL database client library
> ii libstdc++6 4.6.3-1 GNU Standard C++ Library v3
> ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
> ii mysql-clien 5.1.61-0+squeeze1 MySQL database client binaries
> ii mysql-commo 5.1.61-0+squeeze1 MySQL database common files, e.g.
> ii mysql-serve 5.1.61-0+squeeze1 MySQL database server binaries
> ii passwd 1:4.1.4.2+svn3283-2+squeeze1 change and administer password and
> ii perl 5.12.4-4 Larry Wall's Practical Extraction
> ii psmisc 22.11-1 utilities that use the proc file s
> ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
>
> Versions of packages mysql-server-5.1 recommends:
> ii heirloom-mailx [mailx] 12.4-2 feature-rich BSD mail(1)
> pn libhtml-template-perl<none> (no description available)
>
> Versions of packages mysql-server-5.1 suggests:
> pn tinyca<none> (no description available)
>
> -- debconf information:
> mysql-server/error_setting_password:
> mysql-server-5.1/start_on_boot: true
> mysql-server-5.1/postrm_remove_databases: false
> mysql-server-5.1/nis_warning:
> mysql-server-5.1/really_downgrade: false
> mysql-server/password_mismatch:
> mysql-server/no_upgrade_when_using_ndb:
>
>
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
>
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Thu, 05 Jul 2012 15:59:41 GMT) (full text, mbox, link).
Notification sent
to Arne Wichmann <aw@fva-wg.de>:
Bug acknowledged by developer.
(Thu, 05 Jul 2012 15:59:41 GMT) (full text, mbox, link).
Message #15 received at 675872-done@bugs.debian.org (full text, mbox, reply):
Version: 5.1.62-1+rm
Dear submitter,
as the package mysql-5.1 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/680362
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.
Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#675872; Package mysql-server-5.1.
(Mon, 09 Jul 2012 16:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Arne Wichmann <aw@linux.de>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Mon, 09 Jul 2012 16:36:04 GMT) (full text, mbox, link).
Message #20 received at 675872@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 675872 5.1.63-0+squeeze1
thanks
This is still open in stable.
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions 5.1.63-0+squeeze1 and reopened.
Request was from Arne Wichmann <aw@linux.de>
to control@bugs.debian.org.
(Mon, 09 Jul 2012 16:36:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#675872; Package mysql-server-5.1.
(Mon, 08 Apr 2013 02:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Mon, 08 Apr 2013 02:30:04 GMT) (full text, mbox, link).
Message #27 received at 675872@bugs.debian.org (full text, mbox, reply):
clone 675872 -1
reassign -1 src:mysql-5.5
There still isn't much to go on about this issue, but all sign point
to it still existing. Note that redhat's mysql packages use openssl
instead of yassl; altogether avoiding the uncertainties with yassl,
which seems not very supported security-wise. It may be wise to do
the same for the Debian packages.
Best wishes,
Mike
Bug 675872 cloned as bug 704945
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Mon, 08 Apr 2013 02:30:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#675872; Package mysql-server-5.1.
(Mon, 08 Apr 2013 03:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Clint Byrum <clint@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Mon, 08 Apr 2013 03:03:04 GMT) (full text, mbox, link).
Message #34 received at 675872@bugs.debian.org (full text, mbox, reply):
On 2013-04-07 19:26, Michael Gilbert wrote:
> clone 675872 -1
> reassign -1 src:mysql-5.5
>
> There still isn't much to go on about this issue, but all sign point
> to it still existing. Note that redhat's mysql packages use openssl
> instead of yassl; altogether avoiding the uncertainties with yassl,
> which seems not very supported security-wise. It may be wise to do
> the same for the Debian packages.
>
What gave you the impression it is still existing? Oracle claims it was
resolved in 5.5.22 and 5.1.62. Ubuntu has also marked it as resolved.
This seems like an uninformed opinion. yaSSL is quite well supported
and this issue was addessed rather quickly. The yaSSL team responds
quite rapidly to open CVE's, and even the most recent one, CVE-2013-1623
[1] , is addressed in yaSSL (just not in an upstream release of MySQL
yet).
OpenSSL is not an option until OpenSSL has granted a license exception
for MySQL, something, AFAICT, they have not done. It is merely an
opinion of RedHat that they don't need one, but Debian has taken an
opposite position.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699886
Reply sent
to Andreas Beckmann <anbe@debian.org>:
You have taken responsibility.
(Mon, 04 Jul 2016 11:33:11 GMT) (full text, mbox, link).
Notification sent
to Arne Wichmann <aw@fva-wg.de>:
Bug acknowledged by developer.
(Mon, 04 Jul 2016 11:33:11 GMT) (full text, mbox, link).
Message #39 received at 675872-done@bugs.debian.org (full text, mbox, reply):
This bug has been reported against an ancient version of mysql (5.1),
that was last released with Debian 6.0 (squeeze). But even squeeze-lts
has now reached end-of-life and is no longer supported.
The bug is assumed to be fixed (or no longer relevant) in newer mysql
(or mariadb) releases and therefore I'm closing this report now. If the
problem is still reproducible in the currently supported versions
(mysql-5.6/mysql-5.7), feel free to provide more information, reopen
and reassign this bug report.
Andreas
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 02 Aug 2016 07:39:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:36:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon