Debian Bug report logs -
#887751
mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection
Reported by: Guido Günther <agx@sigxcpu.org>
Date: Fri, 19 Jan 2018 16:39:05 UTC
Severity: serious
Tags: security, upstream
Found in version 6.4.3-2
Fixed in version 6.4.3-4+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>:
Bug#887751; Package mysql-connector-net.
(Fri, 19 Jan 2018 16:39:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>.
(Fri, 19 Jan 2018 16:39:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mysql-connector-net
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: important
Tags: grave
Version: 6.4.3-2
Hi,
the following vulnerability was published for mysql-connector-net.
CVE-2018-2585[0]:
| Vulnerability in the MySQL Connectors component of Oracle MySQL
| (subcomponent: Connector/Net). Supported versions that are affected
| are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
| vulnerability allows unauthenticated attacker with network access via
| multiple protocols to compromise MySQL Connectors. Successful attacks
| of this vulnerability can result in unauthorized ability to cause a
| hang or frequently repeatable crash (complete DOS) of MySQL
| Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
| Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-2585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
Please adjust the affected versions in the BTS as needed.
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 19 Jan 2018 16:48:05 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Guido Günther <agx@sigxcpu.org>
to control@bugs.debian.org.
(Fri, 19 Jan 2018 16:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>:
Bug#887751; Package mysql-connector-net.
(Tue, 23 Jan 2018 05:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Mirco Bauer <meebey@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>.
(Tue, 23 Jan 2018 05:39:06 GMT) (full text, mbox, link).
Message #14 received at 887751@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 887751 important
thanks
Hello Guido,
thank you for the report.
CVE-2018-2585 has been rated by the Debian security as a minor issue [0].
You have bumped the severity from important to grave without an explanation.
Is there something you want to share?
[0]: https://security-tracker.debian.org/tracker/CVE-2018-2585
Best regards,
Mirco (meebey) Bauer
FOSS Hacker meebey@meebey.net https://www.meebey.net/
Debian Developer meebey@debian.org http://www.debian.org/
GNOME Foundation Member mmmbauer@gnome.org http://www.gnome.org/
CTO @ Gatecoin Ltd. mirco@gatecoin.com https://gatecoin.com/
.NET Foundation Advisory Council Member http://www.dotnetfoundation.org/
PGP-Key ID 0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc
On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <agx@sigxcpu.org> wrote:
> Package: mysql-connector-net
> X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.
> alioth.debian.org
> Severity: important
> Tags: grave
> Version: 6.4.3-2
>
> Hi,
>
> the following vulnerability was published for mysql-connector-net.
>
> CVE-2018-2585[0]:
> | Vulnerability in the MySQL Connectors component of Oracle MySQL
> | (subcomponent: Connector/Net). Supported versions that are affected
> | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
> | vulnerability allows unauthenticated attacker with network access via
> | multiple protocols to compromise MySQL Connectors. Successful attacks
> | of this vulnerability can result in unauthorized ability to cause a
> | hang or frequently repeatable crash (complete DOS) of MySQL
> | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
> | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-2585
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
>
> Please adjust the affected versions in the BTS as needed.
>
> _______________________________________________
> pkg-cli-libs-team mailing list
> pkg-cli-libs-team@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team
>
[Message part 2 (text/html, inline)]
Severity set to 'important' from 'grave'
Request was from Mirco Bauer <meebey@debian.org>
to control@bugs.debian.org.
(Tue, 23 Jan 2018 05:39:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>:
Bug#887751; Package mysql-connector-net.
(Tue, 23 Jan 2018 06:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>.
(Tue, 23 Jan 2018 06:39:03 GMT) (full text, mbox, link).
Message #21 received at 887751@bugs.debian.org (full text, mbox, reply):
Hi Mirco,
On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote:
> severity 887751 important
> thanks
>
> Hello Guido,
>
> thank you for the report.
>
> CVE-2018-2585 has been rated by the Debian security as a minor issue [0].
> You have bumped the severity from important to grave without an
> explanation.
It only went in as important because I messed up the original report,
sorry about that.
> Is there something you want to share?
I marked it as no-dsa in the security tracker because I don't see a
sensible way to fix this in stable / oldstable (given Oracle's update
policy) and due to the affected reverse dependencies we currently have
in these releases. But deem the issue it important enough to not let the
package slip into a stable release again "accidentally". Does this make
sense?
Cheers,
-- Guido
> [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585
> Best regards,
>
> Mirco (meebey) Bauer
>
> FOSS Hacker [2]meebey@meebey.net [3]https://www.meebey.net/
> Debian Developer [4]meebey@debian.org [5]http://www.debian.org/
> GNOME Foundation Member [6]mmmbauer@gnome.org [7]http://www.gnome.org/
> CTO @ Gatecoin Ltd. [8]mirco@gatecoin.com [9]https://gatecoin.com/
> .NET Foundation Advisory Council Member
> [10]http://www.dotnetfoundation.org/
> PGP-Key ID 0x7127E5ABEEF946C8
> [11]https://meebey.net/pubkey.asc
> On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]agx@sigxcpu.org>
> wrote:
>
> Package: mysql-connector-net
> X-Debbugs-CC: [13]team@security.debian.org
> [14]secure-testing-team@lists.alioth.debian.org
> Severity: important
> Tags: grave
> Version: 6.4.3-2
>
> Hi,
>
> the following vulnerability was published for mysql-connector-net.
>
> CVE-2018-2585[0]:
> | Vulnerability in the MySQL Connectors component of Oracle MySQL
> | (subcomponent: Connector/Net). Supported versions that are affected
> | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
> | vulnerability allows unauthenticated attacker with network access via
> | multiple protocols to compromise MySQL Connectors. Successful attacks
> | of this vulnerability can result in unauthorized ability to cause a
> | hang or frequently repeatable crash (complete DOS) of MySQL
> | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
> | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585
> [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
>
> Please adjust the affected versions in the BTS as needed.
>
> _______________________________________________
> pkg-cli-libs-team mailing list
> [17]pkg-cli-libs-team@lists.alioth.debian.org
> [18]http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team
>
> References
>
> Visible links
> 1. https://security-tracker.debian.org/tracker/CVE-2018-2585
> 2. mailto:meebey@meebey.net
> 3. https://www.meebey.net/
> 4. mailto:meebey@debian.org
> 5. http://www.debian.org/
> 6. mailto:mmmbauer@gnome.org
> 7. http://www.gnome.org/
> 8. mailto:mirco@gatecoin.com
> 9. https://gatecoin.com/
> 10. http://www.dotnetfoundation.org/
> 11. https://meebey.net/pubkey.asc
> 12. mailto:agx@sigxcpu.org
> 13. mailto:team@security.debian.org
> 14. mailto:secure-testing-team@lists.alioth.debian.org
> 15. https://security-tracker.debian.org/tracker/CVE-2018-2585
> 16. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
> 17. mailto:pkg-cli-libs-team@lists.alioth.debian.org
> 18. http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>:
Bug#887751; Package mysql-connector-net.
(Tue, 23 Jan 2018 07:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Mirco Bauer <meebey@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CLI Libraries Team <pkg-cli-libs-team@lists.alioth.debian.org>.
(Tue, 23 Jan 2018 07:09:07 GMT) (full text, mbox, link).
Message #26 received at 887751@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 887751 serious
thanks
Hello Guido,
ok, that does make sense, to have at least a RC severity to keep the
bad/affected version out of testing.
If your severity upgrading email would have contained this reasoning I
would wouldn't have downgraded it :)
"grave" is too high though as this security issue has a DoS impact and not
a access/privilege one.
For the RC part to work "serious" is adequate though.
Thanks for the clarification.
Best regards,
Mirco (meebey) Bauer
FOSS Hacker meebey@meebey.net https://www.meebey.net/
Debian Developer meebey@debian.org http://www.debian.org/
GNOME Foundation Member mmmbauer@gnome.org http://www.gnome.org/
CTO @ Gatecoin Ltd. mirco@gatecoin.com https://gatecoin.com/
.NET Foundation Advisory Council Member http://www.dotnetfoundation.org/
PGP-Key ID 0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc
On Tue, Jan 23, 2018 at 2:37 PM, Guido Günther <agx@sigxcpu.org> wrote:
> Hi Mirco,
> On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote:
> > severity 887751 important
> > thanks
> >
> > Hello Guido,
> >
> > thank you for the report.
> >
> > CVE-2018-2585 has been rated by the Debian security as a minor issue
> [0].
> > You have bumped the severity from important to grave without an
> > explanation.
>
> It only went in as important because I messed up the original report,
> sorry about that.
>
> > Is there something you want to share?
>
> I marked it as no-dsa in the security tracker because I don't see a
> sensible way to fix this in stable / oldstable (given Oracle's update
> policy) and due to the affected reverse dependencies we currently have
> in these releases. But deem the issue it important enough to not let the
> package slip into a stable release again "accidentally". Does this make
> sense?
>
> Cheers,
> -- Guido
>
> > [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585
> > Best regards,
> >
> > Mirco (meebey) Bauer
> >
> > FOSS Hacker [2]meebey@meebey.net [3]htt
> ps://www.meebey.net/
> > Debian Developer [4]meebey@debian.org [5]http
> ://www.debian.org/
> > GNOME Foundation Member [6]mmmbauer@gnome.org [7]
> http://www.gnome.org/
> > CTO @ Gatecoin Ltd. [8]mirco@gatecoin.com [9]htt
> ps://gatecoin.com/
> > .NET Foundation Advisory Council Member
> > [10]http://www.dotnetfoundation.org/
> > PGP-Key ID 0x7127E5ABEEF946C8
> > [11]https://meebey.net/pubkey.asc
> > On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]agx@sigxcpu.org>
> > wrote:
> >
> > Package: mysql-connector-net
> > X-Debbugs-CC: [13]team@security.debian.org
> > [14]secure-testing-team@lists.alioth.debian.org
> > Severity: important
> > Tags: grave
> > Version: 6.4.3-2
> >
> > Hi,
> >
> > the following vulnerability was published for mysql-connector-net.
> >
> > CVE-2018-2585[0]:
> > | Vulnerability in the MySQL Connectors component of Oracle MySQL
> > | (subcomponent: Connector/Net). Supported versions that are
> affected
> > | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
> > | vulnerability allows unauthenticated attacker with network access
> via
> > | multiple protocols to compromise MySQL Connectors. Successful
> attacks
> > | of this vulnerability can result in unauthorized ability to cause
> a
> > | hang or frequently repeatable crash (complete DOS) of MySQL
> > | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
> > | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585
> > [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-
> 2585
> >
> > Please adjust the affected versions in the BTS as needed.
> >
> > _______________________________________________
> > pkg-cli-libs-team mailing list
> > [17]pkg-cli-libs-team@lists.alioth.debian.org
> > [18]http://lists.alioth.debian.org/cgi-bin/mailman/
> listinfo/pkg-cli-libs-team
> >
> > References
> >
> > Visible links
> > 1. https://security-tracker.debian.org/tracker/CVE-2018-2585
> > 2. mailto:meebey@meebey.net
> > 3. https://www.meebey.net/
> > 4. mailto:meebey@debian.org
> > 5. http://www.debian.org/
> > 6. mailto:mmmbauer@gnome.org
> > 7. http://www.gnome.org/
> > 8. mailto:mirco@gatecoin.com
> > 9. https://gatecoin.com/
> > 10. http://www.dotnetfoundation.org/
> > 11. https://meebey.net/pubkey.asc
> > 12. mailto:agx@sigxcpu.org
> > 13. mailto:team@security.debian.org
> > 14. mailto:secure-testing-team@lists.alioth.debian.org
> > 15. https://security-tracker.debian.org/tracker/CVE-2018-2585
> > 16. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
> > 17. mailto:pkg-cli-libs-team@lists.alioth.debian.org
> > 18. http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/
> pkg-cli-libs-team
>
[Message part 2 (text/html, inline)]
Severity set to 'serious' from 'important'
Request was from Mirco Bauer <meebey@debian.org>
to control@bugs.debian.org.
(Tue, 23 Jan 2018 07:09:09 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Mon, 25 Mar 2019 15:57:22 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Mon, 25 Mar 2019 15:57:22 GMT) (full text, mbox, link).
Message #33 received at 887751-done@bugs.debian.org (full text, mbox, reply):
Version: 6.4.3-4+rm
Dear submitter,
as the package mysql-connector-net has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/925262
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:07:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon