Debian Bug report logs -
#866818
libdbd-mysql-perl: CVE-2017-10788
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866818; Package src:libdbd-mysql-perl.
(Sun, 02 Jul 2017 07:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Sun, 02 Jul 2017 07:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libdbd-mysql-perl
Version: 4.028-2
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libdbd-mysql-perl.
CVE-2017-10788[0]:
| The DBD::mysql module through 4.043 for Perl allows remote attackers to
| cause a denial of service (use-after-free and application crash) or
| possibly have unspecified other impact by triggering (1) certain error
| responses from a MySQL server or (2) a loss of a network connection to
| a MySQL server. The use-after-free defect was introduced by relying on
| incorrect Oracle mysql_stmt_close documentation and code examples.
Related discussions in [1] and [2]. [2] contains a proposed patch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788
[1] http://seclists.org/oss-sec/2017/q2/443
[2] https://github.com/perl5-dbi/DBD-mysql/issues/120
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866818; Package src:libdbd-mysql-perl.
(Mon, 28 Aug 2017 13:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 28 Aug 2017 13:00:03 GMT) (full text, mbox, link).
Message #10 received at 866818@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Jul 02, 2017 at 09:15:39AM +0200, Salvatore Bonaccorso wrote:
> Source: libdbd-mysql-perl
> Version: 4.028-2
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for libdbd-mysql-perl.
>
> CVE-2017-10788[0]:
> | The DBD::mysql module through 4.043 for Perl allows remote attackers to
> | cause a denial of service (use-after-free and application crash) or
> | possibly have unspecified other impact by triggering (1) certain error
> | responses from a MySQL server or (2) a loss of a network connection to
> | a MySQL server. The use-after-free defect was introduced by relying on
> | incorrect Oracle mysql_stmt_close documentation and code examples.
>
> Related discussions in [1] and [2]. [2] contains a proposed patch.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10788
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788
> [1] http://seclists.org/oss-sec/2017/q2/443
> [2] https://github.com/perl5-dbi/DBD-mysql/issues/120
>
> Please adjust the affected versions in the BTS as needed.
I've pinged upstream again why the patch is still pending:
https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-325342844
Cheers,
-- Guido
Marked as found in versions libdbd-mysql-perl/4.021-1.
Request was from Guido Günther <agx@sigxcpu.org>
to control@bugs.debian.org.
(Mon, 28 Aug 2017 13:03:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866818; Package src:libdbd-mysql-perl.
(Wed, 30 Aug 2017 16:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 30 Aug 2017 16:54:03 GMT) (full text, mbox, link).
Message #17 received at 866818@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Aug 28, 2017 at 02:56:36PM +0200, Guido Günther wrote:
> I've pinged upstream again why the patch is still pending:
>
> https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-325342844
After reviewing the original advisory and the suggested patch, I have
opened that PR in:
https://github.com/perl5-dbi/DBD-mysql/pull/142
... and will ship that in the coming LTS upload.
A.
--
If it's important for you, you'll find a way.
If it's not, you'll find an excuse.
- Unknown
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#866818; Package src:libdbd-mysql-perl.
(Wed, 30 Aug 2017 16:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 30 Aug 2017 16:57:03 GMT) (full text, mbox, link).
Message #22 received at 866818@bugs.debian.org (full text, mbox, reply):
Hi,
On Wed, Aug 30, 2017 at 12:51:24PM -0400, Antoine Beaupre wrote:
> On Mon, Aug 28, 2017 at 02:56:36PM +0200, Guido Günther wrote:
> > I've pinged upstream again why the patch is still pending:
> >
> > https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-325342844
>
> After reviewing the original advisory and the suggested patch, I have
> opened that PR in:
>
> https://github.com/perl5-dbi/DBD-mysql/pull/142
>
> ... and will ship that in the coming LTS upload.
Great. Note that the original patch author is unhappy about the current
upstream handling of security fixes and is proposing a fork:
https://www.nntp.perl.org/group/perl.dbi.dev/2017/08/msg8030.html
This might be a timely coincidence but I don't think so.
Cheers,
-- Guido
>
> A.
>
> --
> If it's important for you, you'll find a way.
> If it's not, you'll find an excuse.
> - Unknown
Reply sent
to gregor herrmann <gregoa@debian.org>:
You have taken responsibility.
(Sat, 17 Feb 2018 23:09:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Feb 2018 23:09:08 GMT) (full text, mbox, link).
Message #29 received at 866818-close@bugs.debian.org (full text, mbox, reply):
Source: libdbd-mysql-perl
Source-Version: 4.046-1
We believe that the bug you reported is fixed in the latest version of
libdbd-mysql-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866818@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libdbd-mysql-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Feb 2018 23:38:47 +0100
Source: libdbd-mysql-perl
Binary: libdbd-mysql-perl
Architecture: source
Version: 4.046-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 856250 866818 866821
Description:
libdbd-mysql-perl - Perl5 database interface to the MariaDB/MySQL database
Changes:
libdbd-mysql-perl (4.046-1) unstable; urgency=medium
.
[ Alex Muntada ]
* Remove inactive pkg-perl members from Uploaders.
.
[ Xavier Guimard ]
* New upstream version
Fixes:
- "Regression for zerofill columns" (Closes: #856250)
- "CVE-2017-10788: Use-after-free when calling mysql_stmt_error() after
mysql_stmt_close()" (Closes: #866818)
- "CVE-2017-10789: possible MITM attack when mysql_ssl=1" (Closes: #866821)
* Bump Standards-Version to 4.1.3
* Update regression-fix-float_type_conversion.patch
.
[ gregor herrmann ]
* Update debian/upstream/metadata.
* Bump debhelper compatibility level to 10.
* Rename debian/source.lintian-overrides to debian/source/lintian-
overrides. Thanks to lintian.
* debian/control: drop "Testsuite: autopkgtest" as we have a
debian/tests/control file. Thanks to lintian.
Checksums-Sha1:
4a63fe3a72c657a7186b7480427e57d33e96fb26 2456 libdbd-mysql-perl_4.046-1.dsc
cf9dad5cee866fb2d48ce11ce9814f4af993736d 155294 libdbd-mysql-perl_4.046.orig.tar.gz
468db57b2973e5dd009adb0062476d86745b8d4f 11628 libdbd-mysql-perl_4.046-1.debian.tar.xz
Checksums-Sha256:
f668154a9eda676c01b8f0b8495a0339d49d4aab3b75151e811d7f5e4786ef15 2456 libdbd-mysql-perl_4.046-1.dsc
6165652ec959d05b97f5413fa3dff014b78a44cf6de21ae87283b28378daf1f7 155294 libdbd-mysql-perl_4.046.orig.tar.gz
86031de7c2dc99050e403f4dcdf63ff87efc1f9259289f5b71d376b5c0f131d7 11628 libdbd-mysql-perl_4.046-1.debian.tar.xz
Files:
28b8646e82bdd20edd09da984fa8cafd 2456 perl optional libdbd-mysql-perl_4.046-1.dsc
bdf4f4d899b8af29ebd8ebfb7438d05f 155294 perl optional libdbd-mysql-perl_4.046.orig.tar.gz
2aecc20eec024b458c3c70b7ad90800f 11628 perl optional libdbd-mysql-perl_4.046-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlqIsDBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbTnA//VlYG0/jBBicNgcBBt2xyDidNiWRp6O02vByEWVIJK7qaVicFddvONtZX
T2gj3SKLCWqlGP+JyE649POBWHQ3pekm8CjB1Wj7JWCB6PTR6h4v12m0/KMYHNwc
FWwtnpOTHQlfFL7YVBiyfRtR7lfbaVIx8yuyKcLyXmcws/mHvnD0f8iecIfnkDfs
M+IU90ubJJKXL4LJSAdYn90odXb2ur1YfF1e8hkTxBALEmcH+n7dVt+UyBmLDosI
V6SoiYCyh5y5vl1cV4QWgQTfsUnTvTYMDLe2DhZfpZ1+UtwzChjsk17xQ/6kRxdK
AtuHddoe+CzIm839nFASS5N8wyWK04r0vTxP05xSLrJ5HEYyZhWBCOj8w9LiwBzn
lz404uYU4MylQOJffSog0hjd/uGEHcYUo42tksNEBlXVjNhbk1ZYYvsXMdyiTD5T
+8jMK9I09smIMYn7pk7ihrvTlRz+2fvmnElCm4+/bofWAwUqBVpfTiOaLj5tn1z1
3f8PjL5et1k7fidnoEI3GXojvK+tCqUl3CC5T04PPvk4G5HGhyAhC+W5KxtBQWmB
R7rFkqiUubTyzMTsUyeRRaveuLl1Y8RF8nM/pUKaQ+dv63nUUoVoAd5QBBZHRFrw
AnCKrIBWJmzOmRxy3NOmJnI+NT838pzMZx6xhSAJPcJzoqJfAHc=
=8C/H
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 24 Mar 2018 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:15:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon