Important: mysql security update

Synopsis

Important: mysql security update

Type/Severity

Security Advisory: Important

Topic

Updated mysql packages that fix several security issues are now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

MySQL is a multi-user, multi-threaded SQL database server. It consists of
the MySQL server daemon (mysqld) and many client programs and libraries.

This update fixes several vulnerabilities in the MySQL database server.
Information about these flaws can be found on the Oracle Critical Patch
Update Advisory pages, listed in the References section. (CVE-2012-1688,
CVE-2012-1690, CVE-2012-1703, CVE-2012-2749, CVE-2012-0540, CVE-2012-1689,
CVE-2012-1734, CVE-2012-3163, CVE-2012-3158, CVE-2012-3177, CVE-2012-3166,
CVE-2012-3173, CVE-2012-3150, CVE-2012-3180, CVE-2012-3167, CVE-2012-3197,
CVE-2012-3160)

These updated packages upgrade MySQL to version 5.1.66. Refer to the MySQL
release notes listed in the References section for a full list of changes.

All MySQL users should upgrade to these updated packages, which correct
these issues. After installing this update, the MySQL server daemon
(mysqld) will be restarted automatically.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Update Support 6.3 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 6.3 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.3 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.3 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.3 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.3 i386

Fixes

• BZ - 814285 - CVE-2012-1688 mysql: Unspecified vulnerability in the server DML subcomponent leading to DoS (server hang / crash) (Oracle CPU April 2012)
• BZ - 814287 - CVE-2012-1690 mysql: Unspecified vulnerability in the server optimizer subcomponent leading to DoS (server hang / crash) (Oracle CPU April 2012)
• BZ - 814293 - CVE-2012-1703 mysql: Unspecified vulnerability in the server optimizer subcomponent leading to DoS (server crash or system hang) (Oracle CPU April 2012)
• BZ - 833737 - CVE-2012-2749 mysql: crash caused by wrong calculation of key length for sort order index
• BZ - 841349 - CVE-2012-0540 mysql: unspecified vulnerability related to GIS extension DoS (CPU Jul 2012)
• BZ - 841351 - CVE-2012-1689 mysql: unspecified vulnerability related to Server Optimizer DoS (CPU Jul 2012)
• BZ - 841353 - CVE-2012-1734 mysql: unspecified vulnerability related to Server Optimizer DoS (CPU Jul 2012)
• BZ - 867212 - CVE-2012-3163 mysql: unspecified vulnerability related to Information Schema
• BZ - 867213 - CVE-2012-3158 mysql: unspecified vulnerability related to the MySQL Protocol
• BZ - 867215 - CVE-2012-3177 mysql: unspecified Server DoS vulnerability
• BZ - 867216 - CVE-2012-3166 mysql: unspecified DoS vulnerability related to InnoDB
• BZ - 867217 - CVE-2012-3173 mysql: unspecified DoS vulnerability related to InnoDB Plugin
• BZ - 867220 - CVE-2012-3150 mysql: unspecified DoS vulnerability related to Server Optimizer
• BZ - 867223 - CVE-2012-3180 mysql: unspecified DoS vulnerability related to Server Optimizer
• BZ - 867230 - CVE-2012-3167 mysql: unspecified DoS vulnerability related to Server Full Text Search
• BZ - 867233 - CVE-2012-3197 mysql: unspecified DoS vulnerability related to Server Replication
• BZ - 867238 - CVE-2012-3160 mysql: unspecified vulnerability in Server Installation leading to information disclosure

CVEs

• CVE-2012-3177
• CVE-2012-0540
• CVE-2012-1689
• CVE-2012-1688
• CVE-2012-1690
• CVE-2012-1703
• CVE-2012-1734
• CVE-2012-3160
• CVE-2012-3158
• CVE-2012-2749
• CVE-2012-3163
• CVE-2012-3173
• CVE-2012-3166
• CVE-2012-3167
• CVE-2012-3150
• CVE-2012-3197
• CVE-2012-3180

References

• https://access.redhat.com/security/updates/classification/#important
• http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixMSQL
• http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html#AppendixMSQL
• http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html#AppendixMSQL
• http://dev.mysql.com/doc/refman/5.1/en/news-5-1-62.html
• http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
• http://dev.mysql.com/doc/refman/5.1/en/news-5-1-64.html
• http://dev.mysql.com/doc/refman/5.1/en/news-5-1-65.html
• http://dev.mysql.com/doc/refman/5.1/en/news-5-1-66.html