mysql-5.5: New MySQL issues

Debian Bug report logs - #695001
mysql-5.5: New MySQL issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mysql-5.5: New MySQL issues

Date: Mon, 03 Dec 2012 08:49:20 +0100

Package: mysql-5.5
Severity: grave
Tags: security
Justification: user security hole

Exploits for new MySQL issues have been posted to the full-disclosure mailing list.
This mail summarises the current state of affairs:

CVE-2012-5611 (formerly tracked as CVE-2012-5579)

  Exploit: http://seclists.org/fulldisclosure/2012/Dec/4

  Patch already available through mariadb.

CVE-2012-5612

  Exploit: http://seclists.org/fulldisclosure/2012/Dec/5

  mariadb bug: https://mariadb.atlassian.net/browse/MDEV-3908

CVE-2012-5613

  Exploit: http://seclists.org/fulldisclosure/2012/Dec/6

  This was discussed to be intended behaviour:
  http://seclists.org/oss-sec/2012/q4/388

CVE-2012-5614

  Exploit: http://seclists.org/fulldisclosure/2012/De

  mariadb bug: https://mariadb.atlassian.net/browse/MDEV-3910

CVE-2012-5615

  Exploit: http://seclists.org/fulldisclosure/2012/Dec/9

  mariadb bug: https://mariadb.atlassian.net/browse/MDEV-3909

Cheers,
        Moritz

Message #10 received at 695001@bugs.debian.org (full text, mbox, reply):

From: Clint Byrum <clint@fewbar.com>

To: 695001 <695001@bugs.debian.org>

Subject: I believe these are addressed upstream with 5.2.29

Date: Wed, 02 Jan 2013 15:53:49 -0800

I have verified at least CVE-2012-5612 is fixed in 5.5.29. Will upload
the new upstream version to unstable soon after some testing.

Message #17 received at 695001-close@bugs.debian.org (full text, mbox, reply):

From: Nicholas Bamber <nicholas@periapt.co.uk>

To: 695001-close@bugs.debian.org

Subject: Bug#695001: fixed in mysql-5.5 5.5.29+dfsg-1

Date: Sat, 12 Jan 2013 00:18:28 +0000

Source: mysql-5.5
Source-Version: 5.5.29+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 695001@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicholas Bamber <nicholas@periapt.co.uk> (supplier of updated mysql-5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 11 Jan 2013 15:29:53 +0000
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5
Architecture: source all i386
Version: 5.5.29+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Nicholas Bamber <nicholas@periapt.co.uk>
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.5 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.5 - MySQL database server binaries and system database setup
 mysql-server-core-5.5 - MySQL database server binaries
 mysql-source-5.5 - MySQL source
 mysql-testsuite-5.5 - MySQL testsuite
Closes: 692871 695001
Changes: 
 mysql-5.5 (5.5.29+dfsg-1) unstable; urgency=low
 .
   [ Clint Byrum ]
   * d/mysql-server-5.5.postinst: Patch from Alex Bligh to fix privilege
     regression that was introduced in the switch from 5.1 to 5.5.
     (Closes: #692871)
   * New upstream release. (Closes: #695001) Refreshed patches.
Checksums-Sha1: 
 43779be62bdd8a86901204749cae1e5204c94e33 2954 mysql-5.5_5.5.29+dfsg-1.dsc
 df1f3af8caf6b14813b4e0789ab6c0379e5de1e1 21199752 mysql-5.5_5.5.29+dfsg.orig.tar.gz
 a523271db0d7262da3cff95484f8e237608bce9f 304465 mysql-5.5_5.5.29+dfsg-1.debian.tar.gz
 ad0008d06a1411f0dd760cd1b001be64848b3d3e 108602 mysql-common_5.5.29+dfsg-1_all.deb
 8b247ab02c592d393f50f6868a3b62bdaec4f09e 106816 mysql-server_5.5.29+dfsg-1_all.deb
 6d4a30ae400e91490298217d756a51e41c83afcf 106692 mysql-client_5.5.29+dfsg-1_all.deb
 17bee4c439dec9c9efbc021b17217ccf7e711262 690422 libmysqlclient18_5.5.29+dfsg-1_i386.deb
 0cd0f151ac8afa510eb92e4dabadd8419277bd46 3099864 libmysqld-pic_5.5.29+dfsg-1_i386.deb
 b08c678793a66e425b4e0fa857bbb549d7f14122 3096076 libmysqld-dev_5.5.29+dfsg-1_i386.deb
 5be77033e57c4049ea6f1a640c62755dd00ee6d3 963548 libmysqlclient-dev_5.5.29+dfsg-1_i386.deb
 2fd8c1d005baffb9ef0741b64f14a9f40206a9ca 1745422 mysql-client-5.5_5.5.29+dfsg-1_i386.deb
 f35af946fe929ec6e67c254fba2d9fb91ca23919 3646514 mysql-server-core-5.5_5.5.29+dfsg-1_i386.deb
 0908f54f4a450680a38918ef78da05c27f9c7ad6 2028340 mysql-server-5.5_5.5.29+dfsg-1_i386.deb
 9f29d13b8f21d1b68d675ead07800303a798a99e 4318232 mysql-testsuite-5.5_5.5.29+dfsg-1_i386.deb
 d77fab4a138d8b64460b3eb15e6daf25296c73c5 22710606 mysql-source-5.5_5.5.29+dfsg-1_i386.deb
Checksums-Sha256: 
 7be3a558757c99affbbff47bb2b534e8e9b1ec4c80ab4d5af6367438dd01346b 2954 mysql-5.5_5.5.29+dfsg-1.dsc
 c67ce550fbb2a7fe3e838f292c9d301fcef83b2ca595ad751e9a4d305c348af7 21199752 mysql-5.5_5.5.29+dfsg.orig.tar.gz
 387703e3195dedbd6a35df193ad5a7a4f45aeac77c4d70a7ad2a16ec43069136 304465 mysql-5.5_5.5.29+dfsg-1.debian.tar.gz
 a5be57697a5f2281f80401c357e9a44ecf4d78b0dd099dde8e69e3e24291442e 108602 mysql-common_5.5.29+dfsg-1_all.deb
 d89662d751f7785f819b757bd86fd7512ba70c447986f2110580f62d827338cd 106816 mysql-server_5.5.29+dfsg-1_all.deb
 10b688a5196b103fd481af9d402203d87e03b5cd6b15d483e3fe77df003bb488 106692 mysql-client_5.5.29+dfsg-1_all.deb
 013598bd31122ea8771d75e3a3e533d9e324c6d0dce5f6aa5a66d56e73fe662d 690422 libmysqlclient18_5.5.29+dfsg-1_i386.deb
 b924cb65b7dc0c19293decdb065d4a947afe16caa67e4f0fc86b6107fe52d2bd 3099864 libmysqld-pic_5.5.29+dfsg-1_i386.deb
 3e50e790014f7236251a07e9f9d07b8e7b12a05f72d7ee480567f0fdd890e26c 3096076 libmysqld-dev_5.5.29+dfsg-1_i386.deb
 cb180eab7aca91826e73dbd1b1351aedaa042c898e3add6eb60f788e27049d1c 963548 libmysqlclient-dev_5.5.29+dfsg-1_i386.deb
 7333c3cea3571a9d0b7f70317becdbe1657c1d2d14f6f04394eecb63114ea9cc 1745422 mysql-client-5.5_5.5.29+dfsg-1_i386.deb
 9aea29344c4954acb0ba99a42036a8269c3a7f5f4f01dc9613c71219674ef0a0 3646514 mysql-server-core-5.5_5.5.29+dfsg-1_i386.deb
 5bd5388c7475c56e8c7ac8a3a075ff3ecf4f86cb10137de0c74a76de61dfc593 2028340 mysql-server-5.5_5.5.29+dfsg-1_i386.deb
 413668e5cbc4b2f45c08563ca5f2e7a4176fbdb413318d6729329f550ae659ba 4318232 mysql-testsuite-5.5_5.5.29+dfsg-1_i386.deb
 02b821181398f7f25ce831810d42e33af2febbbeb66f2ca264f27df495187603 22710606 mysql-source-5.5_5.5.29+dfsg-1_i386.deb
Files: 
 d5b8a7c3bbcf933b1378867fe15d571b 2954 database optional mysql-5.5_5.5.29+dfsg-1.dsc
 85adedbcb966d2c192e04881d8820147 21199752 database optional mysql-5.5_5.5.29+dfsg.orig.tar.gz
 122906b2f52d799dd38ba16a82c1a933 304465 database optional mysql-5.5_5.5.29+dfsg-1.debian.tar.gz
 514ed478843bf065ee2ac6ad44d2c9f6 108602 database optional mysql-common_5.5.29+dfsg-1_all.deb
 8c6d73d94aa6328d84e3f0c8ce3bcbee 106816 database optional mysql-server_5.5.29+dfsg-1_all.deb
 30308b0b972abdbae4553986392318fa 106692 database optional mysql-client_5.5.29+dfsg-1_all.deb
 b5cc58a793fa5903f534d18ab23f4f00 690422 libs optional libmysqlclient18_5.5.29+dfsg-1_i386.deb
 8b9494619d7e5552a65d14850fe3d7f4 3099864 libdevel optional libmysqld-pic_5.5.29+dfsg-1_i386.deb
 3bf2f373578b9cd3ae20d9e45ccff25a 3096076 libdevel optional libmysqld-dev_5.5.29+dfsg-1_i386.deb
 2dc49bbab1a301e452cd1a3358102eaa 963548 libdevel optional libmysqlclient-dev_5.5.29+dfsg-1_i386.deb
 c63461b8b5038245028282b9759b67e8 1745422 database optional mysql-client-5.5_5.5.29+dfsg-1_i386.deb
 3a789c5054943a49c76110fa88894067 3646514 database optional mysql-server-core-5.5_5.5.29+dfsg-1_i386.deb
 17ec0665b68d45db73bddbe5fac34dda 2028340 database optional mysql-server-5.5_5.5.29+dfsg-1_i386.deb
 441aa762e0ec0e7f59d8aa4a5b4572ea 4318232 database optional mysql-testsuite-5.5_5.5.29+dfsg-1_i386.deb
 d3190a715e0d9790c94691a325ace649 22710606 database optional mysql-source-5.5_5.5.29+dfsg-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ8J6hAAoJELbE2bY7/+c8GTEQALGrw5GmxIb7NDgEu5pFcJru
e4mlaK0Axod1pkjeTvQL0zztAD7KvYehr3RRMtsg3X3Ut6grugDlThaWhPHWHwib
R6cbl866+prXx4YCGzPBeouuXSm2s/crNYBjKh05l9mxXhd8OUZfQf5hJVfmqst6
s8upX+ekHADjSVGLhryaA0vfycv6V3qHkbnz2xZS7A+68FJ/+9/LNgMHSkK1/bVe
A7dwJQbn+KRdgTmR3CW1FpQ1r26m9xHRC4+Et2xIJQVt69LVBT5njg3MI2EMsI6s
GvzTnjXppgE1/UJpqIP+bncJK1J9MdSim7Y3ugSQbrR8QYHB5VMITIkr6IaiQJmC
ecF5C31v/xlfwRr+YtTRpnBHqCc0s78eUy8N8BCjQez2/T+CkaVZy4PulRoJUc7f
hYQekBV/jy4Yv9H5f2MXpEZ2IhskTl74kQncbwB6xwXnXZQ78ydhhPsWD9NVIir3
14RyECQ1umF5UE0F0EB+kDVtDSC/bHHGBN082z5XupFO5cjZ8nmjSdfgdHrUtZ7J
++AR2dMAnHezCGGpt0nLd4Y68BU71xP3058dttl6Ox1jhD/7/O9z6PE4N2iCReKM
0vbFi/Ese5JfqR7RTxb2IIotrXmhErVlgXvi0x1uxL+GqysUlfnI4mPJQRbgecTH
gvlRLunf90x0jZhGdtMN
=UejU
-----END PGP SIGNATURE-----

Message #22 received at 695001@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 695001@bugs.debian.org

Cc: jmm@debian.org

Subject: Re: Bug#695001 closed by Nicholas Bamber <nicholas@periapt.co.uk> (Bug#695001: fixed in mysql-5.5 5.5.29+dfsg-1)

Date: Mon, 14 Jan 2013 19:19:34 +0100

On Sat, Jan 12, 2013 at 12:30:11AM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the mysql-5.5 package:
> 
> #695001: mysql-5.5: New MySQL issues
> 
> It has been closed by Nicholas Bamber <nicholas@periapt.co.uk>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Nicholas Bamber <nicholas@periapt.co.uk> by
> replying to this email.

The bug you closed mentioned various security issues:

CVE-2012-5611 (formerly tracked as CVE-2012-5579)
CVE-2012-5612
CVE-2012-5613
CVE-2012-5614
CVE-2012-5615

Is there a advisory or a changelog from Oracle, which specifies
the CVE IDs fixed in 5.5.29?

Cheers,
        Moritz

Send a report that this bug log contains spam.