Debian Bug report logs -
#861487
mysql-workbench: CVE-2017-3469
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 29 Apr 2017 15:27:02 UTC
Severity: important
Tags: security, upstream
Found in version mysql-workbench/6.2.3+dfsg-7
Fixed in version mysql-workbench/6.3.10+dfsg-1
Done: Dmitry Smirnov <onlyjob@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#861487; Package src:mysql-workbench.
(Sat, 29 Apr 2017 15:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dmitry Smirnov <onlyjob@debian.org>.
(Sat, 29 Apr 2017 15:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mysql-workbench
Version: 6.2.3+dfsg-7
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for mysql-workbench.
CVE-2017-3469[0]:
| Vulnerability in the MySQL Workbench component of Oracle MySQL
| (subcomponent: Workbench: Security : Encryption). Supported versions
| that are affected are 6.3.8 and earlier. Difficult to exploit
| vulnerability allows unauthenticated attacker with network access via
| multiple protocols to compromise MySQL Workbench. Successful attacks
| of this vulnerability can result in unauthorized read access to a
| subset of MySQL Workbench accessible data. CVSS 3.0 Base Score 3.7
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Unfortunately as in most cases, no details are provided. Only known
that it should be fixed in 6.3.9. The issue is said to be difficult to
exploit so I guess we do not need a DSA for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-3469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3469
[1] http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
Regards,
Salvatore
Reply sent
to Dmitry Smirnov <onlyjob@debian.org>:
You have taken responsibility.
(Sun, 04 Mar 2018 16:12:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 04 Mar 2018 16:12:04 GMT) (full text, mbox, link).
Message #10 received at 861487-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-workbench
Source-Version: 6.3.10+dfsg-1
We believe that the bug you reported is fixed in the latest version of
mysql-workbench, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861487@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@debian.org> (supplier of updated mysql-workbench package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 05 Mar 2018 01:01:14 +1100
Source: mysql-workbench
Binary: mysql-workbench mysql-workbench-data
Architecture: source all amd64
Version: 6.3.10+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Dmitry Smirnov <onlyjob@debian.org>
Changed-By: Dmitry Smirnov <onlyjob@debian.org>
Description:
mysql-workbench - MySQL Workbench - a visual database modeling, administration and
mysql-workbench-data - MySQL Workbench -- architecture independent data
Closes: 861487
Changes:
mysql-workbench (6.3.10+dfsg-1) unstable; urgency=medium
.
* New upstream release.
+ fixes CVE-2017-3469 (Closes: #861487)
* Removed non-free "antlr3convertutf.c".
* Build-Depends:
- libgtkmm-2.4-dev
+ libgtkmm-3.0-dev
+ libgtk-3-dev
+ python-paramiko
+ antlr3
* Standards-Version: 4.1.3.
* debhelper & compat to version 11.
* rules: removed calls to "dpkg-parsechangelog".
* watch: added "repacksuffix".
Checksums-Sha1:
0e5fa9019f5c3a77eac6f439ca4863f1706f39ca 2643 mysql-workbench_6.3.10+dfsg-1.dsc
6524dfac7ac93537f3208cef2e384a04466f97a0 8265232 mysql-workbench_6.3.10+dfsg.orig.tar.xz
bd8695176876c0058e4a3ed807ac9f7567e8ac1d 42848 mysql-workbench_6.3.10+dfsg-1.debian.tar.xz
bbc934696c11277478d0e446543ab8a01fc60b5e 1637004 mysql-workbench-data_6.3.10+dfsg-1_all.deb
3816acca14b4364503b0b0b609ca2b7cce6e6a80 188726772 mysql-workbench-dbgsym_6.3.10+dfsg-1_amd64.deb
a877fa3376c5cc5e9b47914863a1f3f988a6bbe8 19398 mysql-workbench_6.3.10+dfsg-1_amd64.buildinfo
b64c1d9b0bf052c7f2cf5631a597a5514630805f 8921632 mysql-workbench_6.3.10+dfsg-1_amd64.deb
Checksums-Sha256:
c64e358cb08712621384bf53d960065e7553b355d4523b47ed3bb574eb9dec35 2643 mysql-workbench_6.3.10+dfsg-1.dsc
5afa17d49cb5d34491eecab0688d8e228c1273d5819ddc13188fa0439c016cd7 8265232 mysql-workbench_6.3.10+dfsg.orig.tar.xz
82b7e8d16da1f8c8db1ce23655b0417b166d038fbf7f01b1fa94e7a0a80ec5c9 42848 mysql-workbench_6.3.10+dfsg-1.debian.tar.xz
bc249e0caa7802ecef8ebc73f487a2da8c24d8a9fc60adaa7758daf23398f2b3 1637004 mysql-workbench-data_6.3.10+dfsg-1_all.deb
7e651a8936576486f35cbfab2e814ca6203e766835c69803117718a47a809458 188726772 mysql-workbench-dbgsym_6.3.10+dfsg-1_amd64.deb
6167b97eda60222aa7e359c5966e1ad886187e7798926624b7582c7967ebee74 19398 mysql-workbench_6.3.10+dfsg-1_amd64.buildinfo
224a88e903c8bc5c3f1da0c49576069a979204097787aa608e52ff285ce48882 8921632 mysql-workbench_6.3.10+dfsg-1_amd64.deb
Files:
f010cce54c172f595647b176702e5f39 2643 database optional mysql-workbench_6.3.10+dfsg-1.dsc
8e6c38ae5de8a738935ea638e26fbc00 8265232 database optional mysql-workbench_6.3.10+dfsg.orig.tar.xz
5245ef46e472cc4482685c9829c3c01b 42848 database optional mysql-workbench_6.3.10+dfsg-1.debian.tar.xz
3735242cdb3cb81e0fba2500cb282743 1637004 database optional mysql-workbench-data_6.3.10+dfsg-1_all.deb
c066741248b1f193700daec97779cc2e 188726772 debug optional mysql-workbench-dbgsym_6.3.10+dfsg-1_amd64.deb
2575769920e9123eabe22613fc759897 19398 database optional mysql-workbench_6.3.10+dfsg-1_amd64.buildinfo
c910526232d94a1e68022bc32194afbc 8921632 database optional mysql-workbench_6.3.10+dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAlqb/kIACgkQUra72VOW
jRs+sw/9Fiw6jFESFygVKPcLsQ2tSSsdIShrEHTt97lyQaruCewFQ5R+r1liGKbu
aHwTDfoQh4Z4m17mSt0LJaDgDaP2bq2V6u4WGwfSix+/kvRa5Ql0IksIHemgWBus
xALn7h9cW9msD1NHxgxEz8pG2rvVzMbpIsUyFWFdmJYmzkRZ1uQdSTwngef+OR2f
FmMz5Ff21W/UZCIYhReTlJ6CLd8eMUr79amDlQdnhmVygXVkLctMKUti7tL/V/AX
PYVrQZmIyY0Knd5epJRro3Y4e4HXSRKnRnNyd9O3fR1zTuGh6apd25C2BjxB0KMg
KtK4yN8Y2/wuAO4hoVGTxIefxgFa+8VuPprTbUoFg8ip7bCyGIuAok7pSQGoSstK
1Zgn+yLVuF1aU+YiWmuji0eTle0eFXd/Jb/2gPlyyElvqNt5B18WOXGdPA8EdVqM
+gQoqjdWJUUUnhq2Atnef9GIx+PWRkGQ8RMk61OH9GRv0Wq1Wg8Fg/dmpHkT4j9z
Xp2OtuH6XVMnQl+I0BgzxkPcC1oQcl5OxmLc2eBHC/3K/hcgQwCb/yI6MkPsLmBe
A1QloohV4x97i7VaJnSqnKOKR2fOZt6C4TlCvJzVeHEYyqNCidcKjkeE95lGt7O+
dXmud/T/Yb1cI7vKpa2+Nj0MBvp579Qh4/3sirUBzHs+TNVmNWk=
=PRNT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 Apr 2018 07:29:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon