Debian Bug report logs -
#737596
mysql-5.5: CVE-2014-0001: command-line tool buffer overflow via long server version string
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Feb 2014 05:54:01 UTC
Severity: grave
Tags: security, upstream
Found in version mysql-5.5/5.5.20-1
Fixed in versions mysql-5.5/5.5.37-0+wheezy1, mysql-5.5/5.5.37-1
Done: James Page <jamespage@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#737596; Package src:mysql-5.5.
(Tue, 04 Feb 2014 05:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Tue, 04 Feb 2014 05:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.5
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for mysql-5.5.
CVE-2014-0001[0]:
command-line tool buffer overflow via long server version string
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001
http://security-tracker.debian.org/tracker/CVE-2014-0001
[1] http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1054592
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Feb 2014 15:45:11 GMT) (full text, mbox, link).
Marked as found in versions mysql-5.5/5.5.20-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Feb 2014 15:48:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#737596; Package src:mysql-5.5.
(Fri, 14 Mar 2014 07:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Fri, 14 Mar 2014 07:48:05 GMT) (full text, mbox, link).
Message #14 received at 737596@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: clone 737596 -1
Control: reassign -1 src:mysql-5.6
Control: retitle -1 mysql-5.6: CVE-2014-0001: command-line tool buffer overflow via long server version string
Hi,
On Tue, Feb 04, 2014 at 06:51:50AM +0100, Salvatore Bonaccorso wrote:
> Source: mysql-5.5
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for mysql-5.5.
>
> CVE-2014-0001[0]:
> command-line tool buffer overflow via long server version string
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001
> http://security-tracker.debian.org/tracker/CVE-2014-0001
> [1] http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1054592
>
> Please adjust the affected versions in the BTS as needed.
The same seems to apply to mysql-5.6 at first glance. Cloning the
original bugreport to make a copy for the mysql-5.6 source package.
Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Bug 737596 cloned as bug 741590
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 737596-submit@bugs.debian.org.
(Fri, 14 Mar 2014 07:48:05 GMT) (full text, mbox, link).
Reply sent
to James Page <jamespage@debian.org>:
You have taken responsibility.
(Thu, 24 Apr 2014 21:46:00 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 24 Apr 2014 21:46:00 GMT) (full text, mbox, link).
Message #21 received at 737596-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.5
Source-Version: 5.5.37-1
We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Page <jamespage@debian.org> (supplier of updated mysql-5.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 24 Apr 2014 18:03:59 +0100
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite mysql-testsuite-5.5 mysql-source-5.5
Architecture: source all amd64
Version: 5.5.37-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: James Page <jamespage@debian.org>
Description:
libmysqlclient-dev - MySQL database development files
libmysqlclient18 - MySQL database client library
libmysqld-dev - MySQL embedded database development files
libmysqld-pic - PIC version of MySQL embedded server development files
mysql-client - MySQL database client (metapackage depending on the latest versio
mysql-client-5.5 - MySQL database client binaries
mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
mysql-server - MySQL database server (metapackage depending on the latest versio
mysql-server-5.5 - MySQL database server binaries and system database setup
mysql-server-core-5.5 - MySQL database server binaries
mysql-source-5.5 - MySQL source
mysql-testsuite - MySQL testsuite
mysql-testsuite-5.5 - MySQL testsuite
Closes: 736087 737596 739846 744910
Changes:
mysql-5.5 (5.5.37-1) unstable; urgency=medium
.
* SECURITY UPDATE: Update to 5.5.37 to fix security issues (Closes: #744910)
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- CVE-2014-0001 (Closes: #737596).
- CVE-2014-0384
- CVE-2014-2419
- CVE-2014-2430
- CVE-2014-2431
- CVE-2014-2432
- CVE-2014-2436
- CVE-2014-2438
- CVE-2014-2440
* d/mysql-server-5.5.mysql.init: Fixup indentation on previous change
(Closes: #739846).
* d/rules: Always install apparmor profile, not just on Ubuntu
(Closes: #736087).
* d/control: Update for use of virtual-* packages for switching to/from
MySQL alternatives.
* d/watch,repack.*: Drop repackaging as upstream tarball is now DFSG
compliant.
Checksums-Sha1:
fe7a50183d61a87d1a81d4c92e1079780145cc23 3069 mysql-5.5_5.5.37-1.dsc
b5f15ff72c86358693c250203e7cb9c20fbe5f7f 21718944 mysql-5.5_5.5.37.orig.tar.gz
1c622298ac9fbf129193941fdfa5dec5f111b2ce 230984 mysql-5.5_5.5.37-1.debian.tar.xz
47f997840bde746e2501495ab6fbffb928f0f83b 83660 mysql-common_5.5.37-1_all.deb
b3fd0d4a18a00c6e3c7acff566dbb4543ec53091 81964 mysql-server_5.5.37-1_all.deb
b5a6580404db472053af2263df4d3aaacedb4ac3 81836 mysql-client_5.5.37-1_all.deb
fd3f2a2c343908f25ac22b5df81f789cad4da88e 81812 mysql-testsuite_5.5.37-1_all.deb
4679c0f63e3438a52cb4100b7c82e3bba5df3fc5 664450 libmysqlclient18_5.5.37-1_amd64.deb
d61e0e109a204071f8457fa4857d4a2e55485045 3126474 libmysqld-pic_5.5.37-1_amd64.deb
12bd754e9887e9e11be8e2bce61b434f9347b46b 3124514 libmysqld-dev_5.5.37-1_amd64.deb
c839dcaedc26b625df0694c295a1f4c914d3c7a9 935426 libmysqlclient-dev_5.5.37-1_amd64.deb
0823fd4b03df351a93ab5897e558dce4c9d4786e 1659676 mysql-client-5.5_5.5.37-1_amd64.deb
2022a20f3dfc7edf7f7b2980c065b5e9914ee9cb 3259184 mysql-server-core-5.5_5.5.37-1_amd64.deb
bd84664994cb83eed598736fb798e4cfa1a8a529 2081858 mysql-server-5.5_5.5.37-1_amd64.deb
c636812cf970f0058ecbf770260bc03c8a6bcd58 4303406 mysql-testsuite-5.5_5.5.37-1_amd64.deb
b40faf2bf20e6bdc703c7fdcdf80b06bbae0ef84 22977166 mysql-source-5.5_5.5.37-1_amd64.deb
Checksums-Sha256:
0dfb0f849c89c89832e1144f48c116273ab5bbffeaf1fc7ec63bf1eb455f33c2 3069 mysql-5.5_5.5.37-1.dsc
da1ac0a3813d0b03a26618fcf003a5df16a4afc2dddc0c98b13f41923aab02a8 21718944 mysql-5.5_5.5.37.orig.tar.gz
9a58eaffc9734ef16f015e129147eb3808d3f6bb2d3163f62b323dda48b44141 230984 mysql-5.5_5.5.37-1.debian.tar.xz
55c9e21b9e69feab674a0df8861c67892f45b568555c45f8cfe9a211af1df4b6 83660 mysql-common_5.5.37-1_all.deb
956d33636535d4ec5aa35815885f05f6165fedd4f623048169db2b22c1855a6e 81964 mysql-server_5.5.37-1_all.deb
41649cba6b78978cc84914eb575540ee8495c9d67359c3ea8d9a18a1fa74c1f2 81836 mysql-client_5.5.37-1_all.deb
e4fe8604f3a0492c9126311c029f370841b3583b06d0e43f58dbcf0ed466ea5f 81812 mysql-testsuite_5.5.37-1_all.deb
0f1133c12a39208ec970c00587ca9158b08e76373bd87d087a4e49fda9624b7c 664450 libmysqlclient18_5.5.37-1_amd64.deb
9ea7002ef6a8c931bdab1585e944c6dcbc8b2bafb56c58053e448df72d94c46c 3126474 libmysqld-pic_5.5.37-1_amd64.deb
38a6ce784aee7cbbfd015401b22caeb64f8e77716c571ca3184e8607f870622f 3124514 libmysqld-dev_5.5.37-1_amd64.deb
652a2d84d2452e2d5343b554cd7be1719e1ee027d30e89cfaeeafc875eb94205 935426 libmysqlclient-dev_5.5.37-1_amd64.deb
c6d93cf57f89aa889be117815c8b2c885f917700dd0ac7d95b51896bc4e9c219 1659676 mysql-client-5.5_5.5.37-1_amd64.deb
76549c2cdd3c1f433b91a0d8fc3f39173a9bd7536244fb20aab4bd1bcfb87503 3259184 mysql-server-core-5.5_5.5.37-1_amd64.deb
e923129aa968f2f7a061c18776e12aaa10497a3221c6f369076ec022b61c81be 2081858 mysql-server-5.5_5.5.37-1_amd64.deb
897b4ff492f55c586f3012b7433e7b109beedbdfee86d64f68c0b6314ed1edd0 4303406 mysql-testsuite-5.5_5.5.37-1_amd64.deb
4a573f6b2c8e1adbe1dbb6fd117e6592a2bac289c64b2e8afb118524084c1020 22977166 mysql-source-5.5_5.5.37-1_amd64.deb
Files:
f9b97fc8e1d86d91322340a1b648f2fe 83660 database optional mysql-common_5.5.37-1_all.deb
7a037667fcea4f9f33311110cce33f2a 81964 database optional mysql-server_5.5.37-1_all.deb
f06bcd4d3dd39232da62b21ea465796a 81836 database optional mysql-client_5.5.37-1_all.deb
9e3f89b194d41546c65012398a3904ea 81812 database optional mysql-testsuite_5.5.37-1_all.deb
fffc96e5921b15f90fbef1473622c9bb 664450 libs optional libmysqlclient18_5.5.37-1_amd64.deb
30dd1d1d5e2877d6f4d7b93f1d2c4f8b 3126474 libdevel optional libmysqld-pic_5.5.37-1_amd64.deb
bed77c55c1e4ea86e41cc87198210717 3124514 libdevel optional libmysqld-dev_5.5.37-1_amd64.deb
32ab95fae98aa7d372a56c3a1f45ca12 935426 libdevel optional libmysqlclient-dev_5.5.37-1_amd64.deb
12f8c73dc822cc6c867b709baf7bf3d4 1659676 database optional mysql-client-5.5_5.5.37-1_amd64.deb
8484b87f9bfdec5fc18c097e4d407a3e 3259184 database optional mysql-server-core-5.5_5.5.37-1_amd64.deb
9339ef53888fce100792d640789e49f0 2081858 database optional mysql-server-5.5_5.5.37-1_amd64.deb
2b902d0182b883efe0b2e089e839f4b8 4303406 database optional mysql-testsuite-5.5_5.5.37-1_amd64.deb
5aff427369789a0c2f9f34aaa28b685f 22977166 database optional mysql-source-5.5_5.5.37-1_amd64.deb
5beb7a6731bcb220d3063b0b032df161 3069 database optional mysql-5.5_5.5.37-1.dsc
bf1d80c66d4822ec6036300399a33c03 21718944 database optional mysql-5.5_5.5.37.orig.tar.gz
d5aa1c455074982cb9c10bc416e725b7 230984 database optional mysql-5.5_5.5.37-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTWXVVAAoJEL/srsug59jDq/QP/ROmmEScF0Uv89//Q2L9d7Ee
4UE39j3KCMwpeywZZw+8FFBCZlQUjMZWdFgYYxhQaz1f3Ow1lANrOxJaenVa9H0D
EkUC++kLAW7Ka4b+NdWuOlDbW1OeaxWyqVkF7vkPVDSf8CNg2Z5OqD69N4yy1NFV
h0Jcs1QEAmzjQOI6j0568CI1umej1FLMo8J+1jlqbNoGA2V1ZEwt0FZ09eE7x/zD
GpICqEckLQFtUEFp+qKjX0uavqGaEQ5g6+FAz9bf0rb5/IYj3E8uE+Ia9TevhUEl
BPYvk/ONBktJF8UPujY7OQGK17zJIKAa2dAZSbc+J5z6jwvjpikxFsTqI35NQqC7
N9dUHpmIYFbrIvRRlhEM7pWdGUK5fQ1Vm+UNlBkkQ4fj3RWy4u3KVXfv6yTrII1j
r0mR1crDvw4XUhxFxvs1mEcyx2PLg2omYcM6z/ldhEWgSK8mPzDdEHRvk5O+gkNf
K8Eatec/Ne0+C42NqZC1fuheDd3uRZH++6NCyjn0fbkHn2IfHCs434yDKMdRHPUg
1XciaEctF/9uOohbrqvLD135/1m1y1na7H7uoukczIRvN/xWyeHbnI4vlNo5Rt45
5M9hJHmPqymKragybzwB0F/mPycQMI1qaU8xwwoGtRWHkjyHKE8bJhIy0eLNlR1E
xoqzGTR5/d1UQRLqGKun
=48WX
-----END PGP SIGNATURE-----
Marked as fixed in versions mysql-5.5/5.5.37-0+wheezy1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 03 May 2014 08:09:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 Jul 2014 07:35:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:33:02 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon