Debian Bug report logs -
#854713
mysql-5.5: CVE-2017-3302: Use after free in libmysqlclient.so
Reported by: Balint Reczey <balint@balintreczey.hu>
Date: Thu, 9 Feb 2017 18:33:07 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions 5.5.47-0+deb7u1, 5.5.54-0+deb8u1, 5.5.23-2
Fixed in version mysql-5.5/5.5.55-0+deb8u1
Done: Lars Tangvald <lars.tangvald@oracle.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#854713; Package mysql-5.5.
(Thu, 09 Feb 2017 18:33:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Balint Reczey <balint@balintreczey.hu>:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Thu, 09 Feb 2017 18:33:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mysql-5.5
Version: 5.5.54-0+deb8u1
Severity: important
Tags: security
Hi,
The following vulnerability was published for mysql-5.5.
Issue without CVE id #0 [0]:
use after free in libmysqlclient.so
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
https://security-tracker.debian.org/tracker/source-package/mysql-5.5
(issues without CVE id are assigned a TEMP one, but it may change over time)
Please adjust the affected versions in the BTS as needed.
Marked as found in versions 5.5.47-0+deb7u1.
Request was from Bálint Réczey <balint@balintreczey.hu>
to control@bugs.debian.org.
(Thu, 09 Feb 2017 18:57:03 GMT) (full text, mbox, link).
Marked as fixed in versions 5.5.47-0+deb7u2.
Request was from Bálint Réczey <balint@balintreczey.hu>
to control@bugs.debian.org.
(Thu, 09 Feb 2017 18:57:04 GMT) (full text, mbox, link).
No longer marked as fixed in versions 5.5.47-0+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 14 Feb 2017 03:09:02 GMT) (full text, mbox, link).
Changed Bug title to 'mysql-5.5: CVE-2017-3302: Use after free in libmysqlclient.so' from 'mysql-5.5: use after free in libmysqlclient.so'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 14 Feb 2017 03:12:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 14 Feb 2017 03:12:05 GMT) (full text, mbox, link).
Marked as found in versions 5.5.23-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 26 Apr 2017 05:57:03 GMT) (full text, mbox, link).
Reply sent
to Lars Tangvald <lars.tangvald@oracle.com>:
You have taken responsibility.
(Fri, 28 Apr 2017 10:36:05 GMT) (full text, mbox, link).
Notification sent
to Balint Reczey <balint@balintreczey.hu>:
Bug acknowledged by developer.
(Fri, 28 Apr 2017 10:36:05 GMT) (full text, mbox, link).
Message #22 received at 854713-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.5
Source-Version: 5.5.55-0+deb8u1
We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 854713@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lars Tangvald <lars.tangvald@oracle.com> (supplier of updated mysql-5.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Apr 2017 09:24:12 +0200
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite mysql-testsuite-5.5 mysql-source-5.5
Architecture: all source
Version: 5.5.55-0+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Lars Tangvald <lars.tangvald@oracle.com>
Closes: 854713 860544
Description:
libmysqlclient-dev - MySQL database development files
libmysqlclient18 - MySQL database client library
libmysqld-dev - MySQL embedded database development files
libmysqld-pic - PIC version of MySQL embedded server development files
mysql-client - MySQL database client (metapackage depending on the latest versio
mysql-client-5.5 - MySQL database client binaries
mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
mysql-server - MySQL database server (metapackage depending on the latest versio
mysql-server-5.5 - MySQL database server binaries and system database setup
mysql-server-core-5.5 - MySQL database server binaries
mysql-source-5.5 - MySQL source
mysql-testsuite - MySQL testsuite
mysql-testsuite-5.5 - MySQL testsuite
Changes:
mysql-5.5 (5.5.55-0+deb8u1) jessie-security; urgency=high
.
* Imported upstream version 5.5.55 to fix security issues:
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
- CVE-2017-3302 CVE-2017-3305 CVE-2017-3308 CVE-2017-3309
- CVE-2017-3329 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461
- CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3600
(Closes: #860544, #854713)
* d/patches: refreshed 62_disable_tests.patch
* d/patches: dropped fix_test_events_2.patch. Issue fixed upstream
Checksums-Sha1:
0e87be3d9901201d8686248c01138eb2b3ed8de3 3262 mysql-5.5_5.5.55-0+deb8u1.dsc
8ab934610e09e5325e143680a201d86ba7f2f70d 21040959 mysql-5.5_5.5.55.orig.tar.gz
8c56d62fda9a53c4cad146e8668998ef5073c13a 232772 mysql-5.5_5.5.55-0+deb8u1.debian.tar.xz
0c9814f51aea9d5562c917e33e227a0ac305b388 85990 mysql-common_5.5.55-0+deb8u1_all.deb
109bc8468b6c4801064a680117a3740eef247800 84232 mysql-server_5.5.55-0+deb8u1_all.deb
266d43a5ea80782f7879184f69ac559aabd7a7cd 84106 mysql-client_5.5.55-0+deb8u1_all.deb
88770fe124e15a608169ae3d7713b9d30a0a709a 84084 mysql-testsuite_5.5.55-0+deb8u1_all.deb
Checksums-Sha256:
52cabbff6950dd73e89db86092c84cd658c49f59120af6eab8b35d4a67e92850 3262 mysql-5.5_5.5.55-0+deb8u1.dsc
9af0a504e2603b0bc0c7c3a4a747df064fb51670a0022b1ad6114f9058b64171 21040959 mysql-5.5_5.5.55.orig.tar.gz
7072d8bf9ffbf40ef82d95c0ff8f87a5ef9f84753946a7e3c1a343bb99750401 232772 mysql-5.5_5.5.55-0+deb8u1.debian.tar.xz
aa45126c71ab1978d3e2d7b2e498ecc55778627a40361c75011a2a631151dcba 85990 mysql-common_5.5.55-0+deb8u1_all.deb
d9ba8a84584cdff8fd56310da2fd80f18ab9e1543a94b1083f72dd307c8e23ef 84232 mysql-server_5.5.55-0+deb8u1_all.deb
033c8e0f6b04dfc30a4a443acac568304be5733fd8da8aceeb19004cbb96bc8c 84106 mysql-client_5.5.55-0+deb8u1_all.deb
0f03018e78290f74e56f56b516d96d36fcb7fc3b8778956184bfa9faa837c375 84084 mysql-testsuite_5.5.55-0+deb8u1_all.deb
Files:
82be8dbc29494e30bfaa924f9982b43e 3262 database optional mysql-5.5_5.5.55-0+deb8u1.dsc
6414b0dc724c1297139991164c4038cc 21040959 database optional mysql-5.5_5.5.55.orig.tar.gz
72c59e13b8877090dd2924e9bf0c2f5e 232772 database optional mysql-5.5_5.5.55-0+deb8u1.debian.tar.xz
eac582cf88a7eac7b5c5af97cc1a354a 85990 database optional mysql-common_5.5.55-0+deb8u1_all.deb
b334505357186fb58ba8ba7d2a587821 84232 database optional mysql-server_5.5.55-0+deb8u1_all.deb
df9b7e1e68599d6c5ddb6a5102aa6f4f 84106 database optional mysql-client_5.5.55-0+deb8u1_all.deb
5e509c668d4c5161e3acb06ee05bf86b 84084 database optional mysql-testsuite_5.5.55-0+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlj8YFtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Et/4P/2sU3A887ku6TR/FpYEC+IYfqCetOOsh
aSZhE6ehC/Gbv450zOg/ReOYVJpkxplAJZh9H2dhljPHvpy/a5TetkE+VWuIp7uG
Y7i/B3fVZEaISVznB799/6WwG/GTKfPXIqYBQnutVuUqMKvflpSB8n50BH7zrWzE
SugKEDzMl649HCd6jdq7o20GysIIgQMdBejTAYnk7iG9hJUKVmXGW3jwfH0gzxM9
ouWItE/ay1QJDj35DxeYNvuMOg3iGHH8N9cjbUKCMmww9d7SO+j1uj+TOff6P2rN
eFlyXk33pCqbMw6SYgiRp8txfMruZuR2naGLmGxJKgmTpGX8lQV5qc1RdjY9FDnP
LsaojZkl4ux4XUoFodHlFsH/howSz+5SNTGJeGuE46BmwYISOhtkbcFTisERIe23
mhHV8AigOCx3PckwTg0nEV53FfqUGmOR39cM/YejoU3etGHqnuZkl2jCiExvXwL9
KfJgjm/z1sKR5e/z7etnbUVsL+IImhNIvwk7VGVIBfpOEk1t23MB19zi6CTYlMOY
gMCCE6p498gC349Uurpt4sHgTyFSv4Xv1uxjavSZp08gkpsxo3UMPs7j0rRijXFo
EntnjEci+SM3jfKNHR4tq7cCBUcPuXPJJx3UQ9uSbz67zOAIc7dsMiLZcPqLNdXM
DWbkaOqeC8IZ
=SFAU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 27 May 2017 07:25:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:50:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon