Debian Bug report logs - #659687
Multiple security issues

version graph

Package: mysql-5.1; Maintainer for mysql-5.1 is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Mon, 13 Feb 2012 08:18:06 UTC

Severity: grave

Tags: security

Fixed in version mysql-5.1/5.1.61-2

Done: Clint Byrum <clint@ubuntu.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#659687; Package mysql-5.1. (Mon, 13 Feb 2012 08:18:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 13 Feb 2012 08:18:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Multiple security issues
Date: Mon, 13 Feb 2012 09:15:43 +0100
Package: mysql-5.1
Severity: grave
Tags: security

Multiple security issues have been announced in MySQL:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixMSQL

Unfortunately Oracle refuses to release specific information, which allow isolating 
security fixes. As such, we should proceed by releasing 5.1.61 in stable-security.

MySQL 5.5 from experimental is affected as well. Do you plan to have 5.5 replace
5.1 for Wheezy?

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#659687; Package mysql-5.1. (Mon, 13 Feb 2012 09:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bjoern Boschman <bjoern@boschman.de>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 13 Feb 2012 09:00:05 GMT) Full text and rfc822 format available.

Message #10 received at 659687@bugs.debian.org (full text, mbox):

From: Bjoern Boschman <bjoern@boschman.de>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 659687@bugs.debian.org
Subject: Re: [debian-mysql] Bug#659687: Multiple security issues
Date: Mon, 13 Feb 2012 09:52:24 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Moritz,

for mysql-5.5 in experimental there's currently a discussion ongoing
if mysql shall be replaced by MariaDB

http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2012-February/003866.html

I'm not sure about security policy in experimental but I'd suggest to
wait for a descission.

BR
B

On 13.02.2012 09:15, Moritz Muehlenhoff wrote:
> Package: mysql-5.1 Severity: grave Tags: security
> 
> Multiple security issues have been announced in MySQL: 
> http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixMSQL
>
>  Unfortunately Oracle refuses to release specific information,
> which allow isolating security fixes. As such, we should proceed by
> releasing 5.1.61 in stable-security.
> 
> MySQL 5.5 from experimental is affected as well. Do you plan to
> have 5.5 replace 5.1 for Wheezy?
> 
> Cheers, Moritz
> 
> 
> 
> _______________________________________________ pkg-mysql-maint
> mailing list pkg-mysql-maint@lists.alioth.debian.org 
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk84z0gACgkQABMWRpwdNuml7wCfQrq8Wr8bwW0P7U1Yo8mwMr/8
KsgAoMzCltxjye6esMRw3WvqNtMc1gyx
=QfDB
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#659687; Package mysql-5.1. (Tue, 14 Feb 2012 17:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 14 Feb 2012 17:06:06 GMT) Full text and rfc822 format available.

Message #15 received at 659687@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Bjoern Boschman <bjoern@boschman.de>
Cc: 659687@bugs.debian.org
Subject: Re: [debian-mysql] Bug#659687: Multiple security issues
Date: Tue, 14 Feb 2012 18:01:54 +0100
On Mon, Feb 13, 2012 at 09:52:24AM +0100, Bjoern Boschman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Moritz,
> 
> for mysql-5.5 in experimental there's currently a discussion ongoing
> if mysql shall be replaced by MariaDB
> 
> http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2012-February/003866.html

I agree that proceeding with mariadb instead of mysql for wheezy makes
sense.
 
> I'm not sure about security policy in experimental but I'd suggest to
> wait for a descission.

It's totally unsupported security-wise, so take your time.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#659687; Package mysql-5.1. (Fri, 24 Feb 2012 18:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Fri, 24 Feb 2012 18:48:06 GMT) Full text and rfc822 format available.

Message #20 received at 659687@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: 659687@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Multiple security issues
Date: Fri, 24 Feb 2012 19:44:06 +0100
On Mon, Feb 13, 2012 at 09:15:43AM +0100, Moritz Muehlenhoff wrote:
> Package: mysql-5.1
> Severity: grave
> Tags: security
> 
> Multiple security issues have been announced in MySQL:
> http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixMSQL
> 
> Unfortunately Oracle refuses to release specific information, which allow isolating 
> security fixes. As such, we should proceed by releasing 5.1.61 in stable-security.

MySQL maintainers, can you please prepare packages for 5.1.61 for stable-security?
This has been unfixed for too long.

Cheers,
        Moritz




Added tag(s) pending. Request was from Clint Byrum <spamaps-guest@alioth.debian.org> to control@bugs.debian.org. (Sat, 03 Mar 2012 23:30:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#659687; Package mysql-5.1. (Sat, 03 Mar 2012 23:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Clint Byrum <clint@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Sat, 03 Mar 2012 23:54:07 GMT) Full text and rfc822 format available.

Message #27 received at 659687@bugs.debian.org (full text, mbox):

From: Clint Byrum <clint@ubuntu.com>
To: security <security@rt.debian.org>
Cc: 659687@bugs.debian.org
Subject: Debian RT - Fix for mysql CVE's needs sponsorship
Date: Sat, 03 Mar 2012 15:52:21 -0800
Hello! I have prepared fixed packages for stable-security and unstable for mysql-5.1.

They are available in SVN here (these are tagged and ready to upload):

http://anonscm.debian.org/viewvc/pkg-mysql/mysql-5.1/branches/

Or I can upload the raw source packages somewhere if that is
preferred. This is a new upstream version so the orig tarball will need
to be uploaded (it does not need to be repacked so it can be downloaded
using the url in the watch file.)

This is my first time updating a package for security issues, so please
advise me what I should do next.

Thanks!




Reply sent to Clint Byrum <clint@ubuntu.com>:
You have taken responsibility. (Wed, 07 Mar 2012 07:45:18 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Wed, 07 Mar 2012 07:45:18 GMT) Full text and rfc822 format available.

Message #32 received at 659687-close@bugs.debian.org (full text, mbox):

From: Clint Byrum <clint@ubuntu.com>
To: 659687-close@bugs.debian.org
Subject: Bug#659687: fixed in mysql-5.1 5.1.61-2
Date: Wed, 07 Mar 2012 07:35:08 +0000
Source: mysql-5.1
Source-Version: 5.1.61-2

We believe that the bug you reported is fixed in the latest version of
mysql-5.1, which is due to be installed in the Debian FTP archive:

libmysqlclient-dev_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/libmysqlclient-dev_5.1.61-2_amd64.deb
libmysqlclient16_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/libmysqlclient16_5.1.61-2_amd64.deb
libmysqld-dev_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/libmysqld-dev_5.1.61-2_amd64.deb
libmysqld-pic_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/libmysqld-pic_5.1.61-2_amd64.deb
mysql-5.1_5.1.61-2.diff.gz
  to main/m/mysql-5.1/mysql-5.1_5.1.61-2.diff.gz
mysql-5.1_5.1.61-2.dsc
  to main/m/mysql-5.1/mysql-5.1_5.1.61-2.dsc
mysql-5.1_5.1.61.orig.tar.gz
  to main/m/mysql-5.1/mysql-5.1_5.1.61.orig.tar.gz
mysql-client-5.1_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/mysql-client-5.1_5.1.61-2_amd64.deb
mysql-client_5.1.61-2_all.deb
  to main/m/mysql-5.1/mysql-client_5.1.61-2_all.deb
mysql-common_5.1.61-2_all.deb
  to main/m/mysql-5.1/mysql-common_5.1.61-2_all.deb
mysql-server-5.1_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/mysql-server-5.1_5.1.61-2_amd64.deb
mysql-server-core-5.1_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/mysql-server-core-5.1_5.1.61-2_amd64.deb
mysql-server_5.1.61-2_all.deb
  to main/m/mysql-5.1/mysql-server_5.1.61-2_all.deb
mysql-source-5.1_5.1.61-2_amd64.deb
  to main/m/mysql-5.1/mysql-source-5.1_5.1.61-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659687@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Byrum <clint@ubuntu.com> (supplier of updated mysql-5.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Mar 2012 00:20:47 -0800
Source: mysql-5.1
Binary: libmysqlclient16 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.1 mysql-server-core-5.1 mysql-server-5.1 mysql-server mysql-client mysql-source-5.1
Architecture: source all amd64
Version: 5.1.61-2
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Clint Byrum <clint@ubuntu.com>
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient16 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - MySQL database development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.1 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.1 - MySQL database server binaries and system database setup
 mysql-server-core-5.1 - MySQL database server binaries
 mysql-source-5.1 - MySQL source
Closes: 659687
Changes: 
 mysql-5.1 (5.1.61-2) unstable; urgency=high
 .
   * SECURITY UPDATE: Unspecified vulnerabilities identified by Oracle.
     in all versions of MySQL 5.1 earlier than 5.1.61. CVE list is as
     follows: CVE-2011-2262 CVE-2012-0075 CVE-2012-0087 CVE-2012-0101
     CVE-2012-0102 CVE-2012-0112 CVE-2012-0113 CVE-2012-0114 CVE-2012-0115
     CVE-2012-0116 CVE-2012-0118 CVE-2012-0119 CVE-2012-0120 CVE-2012-0484
     CVE-2012-0485 CVE-2012-0490 CVE-2012-0492. (Closes: #659687)
   * d/control: gs is now 'ghostscript'
   * d/control: libreadline5 -> libreadline6
Checksums-Sha1: 
 6c88bd276e72639a86dcc9da395cd3e8eb65d471 2433 mysql-5.1_5.1.61-2.dsc
 a528cf822af84601dd95d3e1cb3277815685ac65 24462261 mysql-5.1_5.1.61.orig.tar.gz
 0f1ba4e93a950f3328924a941e3ead693d442244 295973 mysql-5.1_5.1.61-2.diff.gz
 8e91c28027529afc67015d63f02b23436edb2a75 68774 mysql-common_5.1.61-2_all.deb
 be7bd169cb7e87bdc3d62a77249f521dcdfcd4dd 63148 mysql-server_5.1.61-2_all.deb
 2ad891b526f3da11ac1a44031f9ed7761efc0c22 63020 mysql-client_5.1.61-2_all.deb
 bcb746cdff5f656c9948dda283953179613fe691 1978822 libmysqlclient16_5.1.61-2_amd64.deb
 aaae7c7e81ac444082359ac0ce032f9504a0e2fa 4557454 libmysqld-pic_5.1.61-2_amd64.deb
 706698d0d4b8c303833116cc27ee5847a9391050 5834262 libmysqld-dev_5.1.61-2_amd64.deb
 7caa81769080637003406482826be491269a7d3f 3237458 libmysqlclient-dev_5.1.61-2_amd64.deb
 573aec8ebfa299cdf9a08fe843dd85a635f9b1dc 10171794 mysql-client-5.1_5.1.61-2_amd64.deb
 9ba41bc8b9b991703c1711c9c598e40cac7a7365 4222250 mysql-server-core-5.1_5.1.61-2_amd64.deb
 ce9ae9d9bc5629dcc7c29066115663fce7d11d5e 6626102 mysql-server-5.1_5.1.61-2_amd64.deb
 b032523e88c78d5b71c97e834f93fd37035b32f0 24959186 mysql-source-5.1_5.1.61-2_amd64.deb
Checksums-Sha256: 
 3b39985ec33987b6ce450ff73f961cb7960eac6db3d9a4186302f0e580e2ac76 2433 mysql-5.1_5.1.61-2.dsc
 879c6424282e38eb1ba9b1910db98b378a5574ceed431a69e344643a5524f918 24462261 mysql-5.1_5.1.61.orig.tar.gz
 a280970f3ccb5711bf39d89ef7c82eaaef7ac0f28a5c2c4a03806f433497fc69 295973 mysql-5.1_5.1.61-2.diff.gz
 7307465928bf19256807e91a0094f217656eb28f04fb7ee4415536e04411bef0 68774 mysql-common_5.1.61-2_all.deb
 70faf8d66bc32579ec9e7c40537af6b86608bbee9ce373a1e47bdebf9929c94b 63148 mysql-server_5.1.61-2_all.deb
 5a40b4f1e5868e956fcbbfff6494e5cdefa4047237d28eed365d675ae0e216b9 63020 mysql-client_5.1.61-2_all.deb
 65cbc53e0cdf5376acd72450111ba6a59466088663742236207519c5b6d46703 1978822 libmysqlclient16_5.1.61-2_amd64.deb
 2c74dcedd13121da6b722b4e8dd2b8a9498ec2d2e5abd943b5aa45753bb84afb 4557454 libmysqld-pic_5.1.61-2_amd64.deb
 2841e8c1a084cfbc81ab642735fed9ce4bc87d48f609a1a0bcb2eaa089107989 5834262 libmysqld-dev_5.1.61-2_amd64.deb
 05f7a7b012fed1f817d9e71fcbf22bafb126468440b6cdfb94332dd9d6e5afdf 3237458 libmysqlclient-dev_5.1.61-2_amd64.deb
 4a95bdb8f28d6329049d9b3ae5688106788fdbbd8a8984e7e7ae7db5a09a4791 10171794 mysql-client-5.1_5.1.61-2_amd64.deb
 c3582a6dcd1cfe270659efac2d29a645a81b23a094c013b993277fefaaa8ee2f 4222250 mysql-server-core-5.1_5.1.61-2_amd64.deb
 c0eedd303f04f79eba561fbc3ab065186ce549eb40d1c7b3c696ff665eb87af1 6626102 mysql-server-5.1_5.1.61-2_amd64.deb
 446f5b906443fc422583a4af77e3635e0da7e246fac7a1f816c2ddd259562506 24959186 mysql-source-5.1_5.1.61-2_amd64.deb
Files: 
 706a1110a7527264842d50bee1e4ace1 2433 misc optional mysql-5.1_5.1.61-2.dsc
 4efd10c69c4c99dbdb8fae3834a6d7b8 24462261 misc optional mysql-5.1_5.1.61.orig.tar.gz
 7a0eedc7a3f37ed3dbe4a6fd69a668ce 295973 misc optional mysql-5.1_5.1.61-2.diff.gz
 04493107d1ca39dd6524711f3751f833 68774 database optional mysql-common_5.1.61-2_all.deb
 77ffca04f8f3d84156105d7ee457add1 63148 database optional mysql-server_5.1.61-2_all.deb
 d28870e93234220c83071e014da92037 63020 database optional mysql-client_5.1.61-2_all.deb
 f89bff853831bd8ed0549cc149c43dd6 1978822 libs optional libmysqlclient16_5.1.61-2_amd64.deb
 8e51f24998bb440747ee71e0a48cd98d 4557454 libdevel optional libmysqld-pic_5.1.61-2_amd64.deb
 933266b846bf76bf5d24b377806045f8 5834262 libdevel optional libmysqld-dev_5.1.61-2_amd64.deb
 1aaaa71dc839dcdfc9ada8deb4016335 3237458 libdevel optional libmysqlclient-dev_5.1.61-2_amd64.deb
 7a0122a0bea0abd5a1f25d8fcf24f816 10171794 misc optional mysql-client-5.1_5.1.61-2_amd64.deb
 7ef4a405a3c39bf80039721a495539bd 4222250 misc optional mysql-server-core-5.1_5.1.61-2_amd64.deb
 3290b3ac19a35446ec3b57d95a9d9e5c 6626102 misc optional mysql-server-5.1_5.1.61-2_amd64.deb
 6b7c2a28a43e6160b68156811424dffd 24959186 misc optional mysql-source-5.1_5.1.61-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJPVxAKAAoJEL97/wQC1SS+NOsH/R8o0OmX6ySzzIPytYB/s1Da
y+GmhQZTnrSLgrUqGJnUKqhdduPNO8FRLXVm4rZqdF+plp1pZZ29En4xuwpVBuP8
gHEWeCAokJHwZoMch/Ut6GnDODE38kp0GBeK0+aVeH8I/4YMBxvvsrS2rK4YdSrA
kdg0Dvx7v6CePa8E84mTZn1IzNio/CZBr4T7eJ9kuezw7qqdumB1/8s1u/kxNSMg
3CJ43JBNDekKTTeMzGTFUwYPSPib2l7eVdplon970gb/9+AJAAJOudJeyyak8X2o
vNwT+OOKjzWI69m8/VzPpkKPRVboYgYG9P7JEdKA2cWpFs5pzGovNSctrrKKcXs=
=Pz9w
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 08:02:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:42:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.