Debian Bug report logs -
#844475
CVE-2016-1249: Out-of-bounds read by DBD::mysql
Reported by: Henri Salo <henri@nerv.fi>
Date: Wed, 16 Nov 2016 05:33:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions libdbd-mysql-perl/4.021-1, libdbd-mysql-perl/4.037-5
Fixed in version libdbd-mysql-perl/4.039-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#844475; Package libdbd-mysql-perl.
(Wed, 16 Nov 2016 05:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 16 Nov 2016 05:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: libdbd-mysql-perl
Version: 4.037-5
Severity: important
Tags: security, fixed-upstream, upstream
Hi,
the following vulnerability was published for libdbd-mysql-perl.
CVE-2016-1249: Out-of-bounds read by DBD::mysql
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
http://www.openwall.com/lists/oss-security/2016/11/16/1
https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe
Please adjust the affected versions in the BTS as needed.
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYK+6MAAoJECet96ROqnV0ArsP/3SLmKhsiPGu1gKBvr44t8Fn
65ZyBPjqqhTnxGUvwFO4Yb6XqXPy8iYdQ0WBknCx9E2B2ydnX/3MliCnNWvKe5rc
SXpK549ULqyS31GuYqzubi+h8tNrKwtZuaLSSp1qMIX+u4Q3819DC1tEAadFUe2v
jnGssmuJrd5N53xLZKe02d8D2OZuRZBWLqCJ+KjS/gE0RNr5kaMtuHEwgEYvmApA
sSFXfJfTlM/GYPYqiFuOjY6BJ3V9N5C7Hp2yEuE0RPN7y3dj0FgiOXgk6zAB3tKV
DdKM49G49fM4Kt7FTmNoq5tIR7/m3Jwy50NbNOzwawzFo6M1wosr0jyr4zlGjmMX
zpiD5HEUlwDBvSvwjtUm54evOfs6iQqCskqBiOJGVRTL6KlctKYcul0dew3yvQEF
EYlWdldipSSzXAfIRZ5887y3HE8uBy+RLy+YCIwiHYEITkGGpBjENOocHjWqermJ
sTkJX2RjvgxAWIVsSU4wS4K59XLalzjwIGi+DwjIAk1g0+UTfKOOXnldg4S7N3/j
xKLSOubzSFhMQoIf9NY2E1ek5R0WySP37yT2D1J0yuzdiUwlmqPxt0WSnc5i3FXf
9+WU2Jx18++WiqCyjjFbBgj+DO23UPrxNVZ3TrNSNJiD8EkLTVRpiEbQU80qQJmS
9mU9y9I1Dw/y4E4i8AHK
=Ki3r
-----END PGP SIGNATURE-----
Marked as found in versions libdbd-mysql-perl/4.021-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 16 Nov 2016 05:48:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 16 Nov 2016 06:06:03 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Wed, 16 Nov 2016 06:06:03 GMT) (full text, mbox, link).
Message #12 received at 844475-close@bugs.debian.org (full text, mbox, reply):
Source: libdbd-mysql-perl
Source-Version: 4.039-1
We believe that the bug you reported is fixed in the latest version of
libdbd-mysql-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 844475@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libdbd-mysql-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Nov 2016 06:42:33 +0100
Source: libdbd-mysql-perl
Binary: libdbd-mysql-perl
Architecture: source
Version: 4.039-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 844475
Description:
libdbd-mysql-perl - Perl5 database interface to the MariaDB/MySQL database
Changes:
libdbd-mysql-perl (4.039-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 4.039
- CVE-2016-1249: Fixes out-of-bounds read when using server side
prepared statements with an unaligned number of placeholders in
WHERE condition and output fields in SELECT expression.
(Closes: #844475)
Checksums-Sha1:
0198f81d3f931d499e8d0a1941404f37c6109412 2537 libdbd-mysql-perl_4.039-1.dsc
649db0131ef8b2242fa5ae7b174a4c62dd3db4c1 149928 libdbd-mysql-perl_4.039.orig.tar.gz
5eacc17d79bb3ccd9690e641867afbcfbfb0af9c 10616 libdbd-mysql-perl_4.039-1.debian.tar.xz
Checksums-Sha256:
4cf01347f75b647236fd51c441cea7c9f5d64f7287aae6313d3b9b0d89c2bab9 2537 libdbd-mysql-perl_4.039-1.dsc
1602a9d22e13bd2c5b27e8e2f2a7cc7fa08d6ce53162b0aa12b5d7d5e41a974c 149928 libdbd-mysql-perl_4.039.orig.tar.gz
624472e127a5fd873dd2ec3f1e6d637bf3190dbecc714649e6a707fa6c0c91cb 10616 libdbd-mysql-perl_4.039-1.debian.tar.xz
Files:
e3bd3daefc2fb2a590699b02a22c0fd8 2537 perl optional libdbd-mysql-perl_4.039-1.dsc
e47b3c525fdbbf7ea697d43e71efcc0e 149928 perl optional libdbd-mysql-perl_4.039.orig.tar.gz
2f8afde3997cc15844bc4f605439da58 10616 perl optional libdbd-mysql-perl_4.039-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlgr8r9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EK5wP/1civMPAumq2kz8G84fC0daBCpO6DA+K
TEcy8YGsFKJtReA1+cfItP++Hz5/jhhdDXG69rkoGw1DIJsyLSgDut9fzO5nuZlG
tyty0znF+hF8yHCa5jH2sg0Kl1J9qpwR1+glxYjbaJLd0WbH0XRbtcBWhzhe4DhX
/2gFa5/55DcOSGfgSNinLOEVyUbtEqSet517fqKy2BwrDUpkSRx0019OYyw2k6l3
G5gEEtcG4BC5vOFt1OENCNg0lDY8QfxG2PhqPvuo4+1rrLx45sSg9xe/DtpGYkZt
4vYFWFACz168Tm0bLJ0zAuItGsiL38CgS/Zpi/Qe3hBYYe0rle6LDCoEGCKXoH/7
UpRosAbyc1rmFOo3NCTeOTweISwcV0JJsDzNjNy9pWvJbTIMz06nzVYCM47ImRBE
51OyilnFsRvsWCQSvjFZPGNidN9M6sLAUIsSZvakQsNCOyK7qnpnVXCw3neiIxje
I00b5jA0A526w2HkKNQ9ypUtr2rN6nPJ2BRyYQKCHDfYrJchMDDbRbrKkoB+1pQQ
DizlOJJNIUJ2VQ4cIuC7eauqhOH5Xh40LLBMppyDqEmQUM9skpqbcv22wCBw8VGV
Tbekgmx2DUo7lMKjufOTYPrdwhtxQY+RfSVIUdI60NS16+M7Wse69oIYfMRNfWXX
UW3YsYtemQqY
=CrdA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 09:20:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:16:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon