Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2012-4414: SQL injection

Related Vulnerabilities: CVE-2012-4414   CVE-2013-0375  

Source

Debian Bug report logs - #687484
CVE-2012-4414: SQL injection

version graph

Package: mysql-5.1; Maintainer for mysql-5.1 is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 13 Sep 2012 08:06:01 UTC

Severity: grave

Tags: security

Found in version 5.1.66-0+squeeze1

Fixed in versions 5.1.72-1, 5.5.29+dfsg-1

Done: Henri Salo <henri@nerv.fi>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#687484; Package mysql-5.1. (Thu, 13 Sep 2012 08:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Thu, 13 Sep 2012 08:06:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-4414: SQL injection
Date: Thu, 13 Sep 2012 10:00:15 +0200
Package: mysql-5.1
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4414 for details
and patches.

Cheers,
       Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#687484; Package mysql-5.1. (Tue, 30 Sep 2014 06:21:10 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 30 Sep 2014 06:21:10 GMT) (full text, mbox, link).

Message #10 received at 687484@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: 687484@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Subject: Status of CVE-2012-4414: SQL injection
Date: Tue, 30 Sep 2014 09:19:26 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is current status of CVE-2012-4414? Information about the issue in
http://www.openwall.com/lists/oss-security/2012/09/11/4

Marked as grave and security without any comments from maintainers. Plans to
patch this issue? If not could you please give reasoning, thank you.

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlQqS24ACgkQXf6hBi6kbk/cCQCdGwbC8Tk1kzx1Mjg5OHDAp7wI
KcwAn0NnXCiW/G9CuOQGMRk2xUODZAtm
=zrVO
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#687484; Package mysql-5.1. (Tue, 30 Sep 2014 07:12:05 GMT) (full text, mbox, link).

Acknowledgement sent to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 30 Sep 2014 07:12:05 GMT) (full text, mbox, link).

Message #15 received at 687484@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: Henri Salo <henri@nerv.fi>
Cc: 687484@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Subject: Re: [debian-mysql] Bug#687484: Status of CVE-2012-4414: SQL injection
Date: Tue, 30 Sep 2014 16:10:23 +0900
Henri Salo <henri@nerv.fi> writes:

> What is current status of CVE-2012-4414? Information about the issue in
> http://www.openwall.com/lists/oss-security/2012/09/11/4
>
> Marked as grave and security without any comments from maintainers. Plans to
> patch this issue? If not could you please give reasoning, thank you.

I think this bug only affects squeeze (oldstable) which reached its EOL
and is now only supported by volunteers as part of the Debian-LTS
project so you should probably get in touch with them:

https://wiki.debian.org/LTS

Cheers,
-- 
Arnaud Fontaine

Marked as fixed in versions 5.5.29+dfsg-1. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Tue, 30 Sep 2014 08:39:04 GMT) (full text, mbox, link).

Marked as fixed in versions 5.1.72-1. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Tue, 30 Sep 2014 08:45:14 GMT) (full text, mbox, link).

Marked as found in versions 5.1.66-0+squeeze1. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Tue, 30 Sep 2014 08:48:30 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#687484; Package mysql-5.1. (Tue, 30 Sep 2014 09:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to "Norvald H. Ryeng" <norvald.ryeng@oracle.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 30 Sep 2014 09:21:05 GMT) (full text, mbox, link).

Message #26 received at 687484@bugs.debian.org (full text, mbox, reply):

From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
To: 687484@bugs.debian.org, "Henri Salo" <henri@nerv.fi>
Cc: "Moritz Muehlenhoff" <jmm@inutil.org>, "Debian MySQL Maintainers" <pkg-mysql-maint@lists.alioth.debian.org>
Subject: Re: [debian-mysql] Bug#687484: Status of CVE-2012-4414: SQL injection
Date: Tue, 30 Sep 2014 10:20:59 +0200
On Tue, 30 Sep 2014 08:19:26 +0200, Henri Salo <henri@nerv.fi> wrote:

> What is current status of CVE-2012-4414? Information about the issue in
> http://www.openwall.com/lists/oss-security/2012/09/11/4
>
> Marked as grave and security without any comments from maintainers.  
> Plans to
> patch this issue? If not could you please give reasoning, thank you.

This issue was fixed as CVE-2013-0375 in MySQL 5.1.67 and 5.5.29 [1].  
CVE-2013-0375 and CVE-2012-4414 are equivalent.

Regards,

Norvald H. Ryeng

[1]  
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixMSQL

Reply sent to Henri Salo <henri@nerv.fi>:
You have taken responsibility. (Tue, 30 Sep 2014 11:45:17 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 30 Sep 2014 11:45:17 GMT) (full text, mbox, link).

Message #31 received at 687484-close@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: 687484-close@bugs.debian.org
Subject: closing
Date: Tue, 30 Sep 2014 14:40:31 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Closing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlQqlq8ACgkQXf6hBi6kbk9PFQCZAQISjF/oJq58OsdBGxBZze6B
GgcAnA5MewxeLwApOlq56l+N0wrazsX+
=aeWF
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 29 Oct 2014 07:35:47 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:19:11 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started