Debian Bug report logs - #670636
Multiple security issues in April security release

version graph

Package: mysql-5.1; Maintainer for mysql-5.1 is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Fri, 27 Apr 2012 13:45:01 UTC

Severity: grave

Tags: pending, security

Fixed in versions mysql-5.1/5.1.62-1, 5.1.63-0+squeeze1

Done: Clint Byrum <clint@ubuntu.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#670636; Package mysql-5.1. (Fri, 27 Apr 2012 13:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Fri, 27 Apr 2012 13:45:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Multiple security issues in April security release
Date: Fri, 27 Apr 2012 15:39:52 +0200
Package: mysql-5.1
Severity: grave
Tags: security

Multiple - and yet again unspecified :-/ - security issues have been fixed in the April
Oracle security release:

http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixMSQL

Affecting 5.1 and 5.5

CVE-2012-1703	MySQL Server	MySQL Protocol	Server Optimizer
CVE-2012-0583 	MySQL Server 	MySQL Protocol 	MyISAM
CVE-2012-1688 	MySQL Server 	MySQL Protocol 	Server DML
CVE-2012-1690 	MySQL Server 	MySQL Protocol 	Server Optimizer

Affecting 5.5 only:
CVE-2012-1697 	MySQL Server 	MySQL Protocol 	Partition
CVE-2012-1696 	MySQL Server 	MySQL Protocol 	Server Optimizer

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#670636; Package mysql-5.1. (Sat, 28 Apr 2012 14:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Sat, 28 Apr 2012 14:18:02 GMT) Full text and rfc822 format available.

Message #10 received at 670636@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 670636@bugs.debian.org
Cc: pkg-mysql-maint <pkg-mysql-maint@lists.alioth.debian.org>
Subject: Re: [debian-mysql] Bug#670636: Multiple security issues in April security release
Date: Sat, 28 Apr 2012 15:14:59 +0100
Moritz,
	The Debian MySQL team is debating pushing mysql 5.5 into unstable 
(including the latest upstream releases), transitioning the dependencies 
and dropping mysql 5.1. As such you probably won't see  any activity on 
mysql 5.1 at all unless it becomes clear that this plan is unfeasible 
for some reason.


On 27/04/12 14:39, Moritz Muehlenhoff wrote:
> Package: mysql-5.1
> Severity: grave
> Tags: security
>
> Multiple - and yet again unspecified :-/ - security issues have been fixed in the April
> Oracle security release:
>
> http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixMSQL
>
> Affecting 5.1 and 5.5
>
> CVE-2012-1703	MySQL Server	MySQL Protocol	Server Optimizer
> CVE-2012-0583 	MySQL Server 	MySQL Protocol 	MyISAM
> CVE-2012-1688 	MySQL Server 	MySQL Protocol 	Server DML
> CVE-2012-1690 	MySQL Server 	MySQL Protocol 	Server Optimizer
>
> Affecting 5.5 only:
> CVE-2012-1697 	MySQL Server 	MySQL Protocol 	Partition
> CVE-2012-1696 	MySQL Server 	MySQL Protocol 	Server Optimizer
>
> Cheers,
>          Moritz
>
>
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
>





Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#670636; Package mysql-5.1. (Sat, 28 Apr 2012 14:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olaf van der Spek <ml@vdspek.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Sat, 28 Apr 2012 14:45:09 GMT) Full text and rfc822 format available.

Message #15 received at 670636@bugs.debian.org (full text, mbox):

From: Olaf van der Spek <ml@vdspek.org>
To: Nicholas Bamber <nicholas@periapt.co.uk>
Cc: Moritz Muehlenhoff <muehlenhoff@univention.de>, 670636@bugs.debian.org, pkg-mysql-maint <pkg-mysql-maint@lists.alioth.debian.org>
Subject: Re: [debian-mysql] Bug#670636: Multiple security issues in April security release
Date: Sat, 28 Apr 2012 16:42:21 +0200
On Sat, Apr 28, 2012 at 4:14 PM, Nicholas Bamber <nicholas@periapt.co.uk> wrote:
> Moritz,
>        The Debian MySQL team is debating pushing mysql 5.5 into unstable
> (including the latest upstream releases), transitioning the dependencies and
> dropping mysql 5.1. As such you probably won't see  any activity on mysql
> 5.1 at all unless it becomes clear that this plan is unfeasible for some
> reason.

What's the cost of doing a new 5.1 release? Shouldn't be much trouble
(I assume).

Olaf




Added tag(s) pending. Request was from Clint Byrum <spamaps-guest@alioth.debian.org> to control@bugs.debian.org. (Tue, 01 May 2012 18:09:04 GMT) Full text and rfc822 format available.

Reply sent to Clint Byrum <clint@ubuntu.com>:
You have taken responsibility. (Thu, 03 May 2012 15:51:11 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Thu, 03 May 2012 15:51:11 GMT) Full text and rfc822 format available.

Message #22 received at 670636-close@bugs.debian.org (full text, mbox):

From: Clint Byrum <clint@ubuntu.com>
To: 670636-close@bugs.debian.org
Subject: Bug#670636: fixed in mysql-5.1 5.1.62-1
Date: Thu, 03 May 2012 15:49:01 +0000
Source: mysql-5.1
Source-Version: 5.1.62-1

We believe that the bug you reported is fixed in the latest version of
mysql-5.1, which is due to be installed in the Debian FTP archive:

libmysqlclient-dev_5.1.62-1_i386.deb
  to main/m/mysql-5.1/libmysqlclient-dev_5.1.62-1_i386.deb
libmysqlclient16_5.1.62-1_i386.deb
  to main/m/mysql-5.1/libmysqlclient16_5.1.62-1_i386.deb
libmysqld-dev_5.1.62-1_i386.deb
  to main/m/mysql-5.1/libmysqld-dev_5.1.62-1_i386.deb
libmysqld-pic_5.1.62-1_i386.deb
  to main/m/mysql-5.1/libmysqld-pic_5.1.62-1_i386.deb
mysql-5.1_5.1.62-1.diff.gz
  to main/m/mysql-5.1/mysql-5.1_5.1.62-1.diff.gz
mysql-5.1_5.1.62-1.dsc
  to main/m/mysql-5.1/mysql-5.1_5.1.62-1.dsc
mysql-5.1_5.1.62.orig.tar.gz
  to main/m/mysql-5.1/mysql-5.1_5.1.62.orig.tar.gz
mysql-client-5.1_5.1.62-1_i386.deb
  to main/m/mysql-5.1/mysql-client-5.1_5.1.62-1_i386.deb
mysql-client_5.1.62-1_all.deb
  to main/m/mysql-5.1/mysql-client_5.1.62-1_all.deb
mysql-common_5.1.62-1_all.deb
  to main/m/mysql-5.1/mysql-common_5.1.62-1_all.deb
mysql-server-5.1_5.1.62-1_i386.deb
  to main/m/mysql-5.1/mysql-server-5.1_5.1.62-1_i386.deb
mysql-server-core-5.1_5.1.62-1_i386.deb
  to main/m/mysql-5.1/mysql-server-core-5.1_5.1.62-1_i386.deb
mysql-server_5.1.62-1_all.deb
  to main/m/mysql-5.1/mysql-server_5.1.62-1_all.deb
mysql-source-5.1_5.1.62-1_i386.deb
  to main/m/mysql-5.1/mysql-source-5.1_5.1.62-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 670636@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Byrum <clint@ubuntu.com> (supplier of updated mysql-5.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 May 2012 15:16:23 -0700
Source: mysql-5.1
Binary: libmysqlclient16 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.1 mysql-server-core-5.1 mysql-server-5.1 mysql-server mysql-client mysql-source-5.1
Architecture: source all i386
Version: 5.1.62-1
Distribution: unstable
Urgency: low
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Clint Byrum <clint@ubuntu.com>
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient16 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - MySQL database development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.1 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.1 - MySQL database server binaries and system database setup
 mysql-server-core-5.1 - MySQL database server binaries
 mysql-source-5.1 - MySQL source
Closes: 670636
Changes: 
 mysql-5.1 (5.1.62-1) unstable; urgency=low
 .
   * SECURITY UPDATE: Multiple unspecified vulnerabilities identified
     by Oracle in verions of MySQL 5.1 prior to 5.1.62: CVE-2012-1703
     CVE-2012-0583 CVE-2012-1688 CVE-2012-1690. (Closes: #670636)
   * debian/watch: old mirror was empty, switching to a valid, up to date
     FTP mirror
   * Building source package with svn-buidpackage, so debdiff is large due
     to removing extra .svn files.
Checksums-Sha1: 
 92717a54b032f75027380dfc2d8345ad01a42362 2855 mysql-5.1_5.1.62-1.dsc
 06c7b3742f21fee6faf46224de2221230f943f63 24503313 mysql-5.1_5.1.62.orig.tar.gz
 841f64ca26fc9a0c50de278fdf7e413a7ade6644 299355 mysql-5.1_5.1.62-1.diff.gz
 d4fca653429f02987894cb7410537890acb8f414 76498 mysql-common_5.1.62-1_all.deb
 6cf013ffdc740467c707e8458710b66e26de7e9b 70410 mysql-server_5.1.62-1_all.deb
 e547033d5445ad0a09ade002a6beecf8fc8c3759 70278 mysql-client_5.1.62-1_all.deb
 96a620eee63fb423a47cb4b05b291fb694d89109 1923966 libmysqlclient16_5.1.62-1_i386.deb
 6d04131d2924a73631893fa6b17e79e8a57251a6 4287966 libmysqld-pic_5.1.62-1_i386.deb
 69938c6050ae63fb8c21bb34e76cc84efdb83a45 5524768 libmysqld-dev_5.1.62-1_i386.deb
 cd6a843b1afe7d4d948bf836a7657244f94b4f5b 3093638 libmysqlclient-dev_5.1.62-1_i386.deb
 a4055905dd2d345c0dd1554b9c1a54a5bb7c20bd 9598412 mysql-client-5.1_5.1.62-1_i386.deb
 061ae93a7afe63c0a1e54f88715e9c51ed8965ce 3989442 mysql-server-core-5.1_5.1.62-1_i386.deb
 3c2b517a91aaf949f5da4d5a502cc59dd5e3fdd8 6535068 mysql-server-5.1_5.1.62-1_i386.deb
 7cfa7cfe5aedc80aee7540477ad24acca6fd17f7 25029334 mysql-source-5.1_5.1.62-1_i386.deb
Checksums-Sha256: 
 3cd55745043cc3bc7c2b95503ce8de4af6ca5c2614fac25ddc39c16d3b40ddf6 2855 mysql-5.1_5.1.62-1.dsc
 97c07b2478e25892fe915b2c46e99083973f541ecdf06672241f0c22f79fead3 24503313 mysql-5.1_5.1.62.orig.tar.gz
 9429e6b96cc67354c63c96e56990e8f03250a3c619d9fc6be26db7897e05675c 299355 mysql-5.1_5.1.62-1.diff.gz
 2e2c2b4679042960cff958e9b61bebcecaa7342473b856b91d6a1c843b1b363b 76498 mysql-common_5.1.62-1_all.deb
 e5ecbd43a027d95fb3ffc53fae93a261269ddf1c815b1c8667eaa633c36d185d 70410 mysql-server_5.1.62-1_all.deb
 1584fb78ee313a550b7f71bc4213950f3cc84a2464d4ba46244fe8a0dbce01d1 70278 mysql-client_5.1.62-1_all.deb
 0cbe91d1feb22a2d2a0f0a281619165b0ccb754c29bc2412c4e1392beb97628c 1923966 libmysqlclient16_5.1.62-1_i386.deb
 1df2d9c683b55fbbac82348b99a6d749178ce575d9a30064e3d02d4de4073d6e 4287966 libmysqld-pic_5.1.62-1_i386.deb
 179344788ed6566bd4f662288470de16ef3c63af23b090507bb234ee59dc1f24 5524768 libmysqld-dev_5.1.62-1_i386.deb
 59269490eabe5bf938883662e128ae6227ebbfc829903be64dc00e538a079808 3093638 libmysqlclient-dev_5.1.62-1_i386.deb
 7e5b75ac9bf21b84297703c9a50a5ee7f47b64488e6fcc57761d5df8353a7819 9598412 mysql-client-5.1_5.1.62-1_i386.deb
 d6bc72c4e3e174d5b1861f2192188928b72b4948f15b3bfae2e384272d608092 3989442 mysql-server-core-5.1_5.1.62-1_i386.deb
 030be15d39015262caffe379716095078bda885ae433f17ad80231f200ba0424 6535068 mysql-server-5.1_5.1.62-1_i386.deb
 19aa365fb0c66b7aefcdd2ec7ba81059c951f412224b67eaf62e3deb26264c07 25029334 mysql-source-5.1_5.1.62-1_i386.deb
Files: 
 fe6f7fea6b417396595d03b9e4ec045e 2855 misc optional mysql-5.1_5.1.62-1.dsc
 58843ac04d3e8bb6ff973938e7e88a28 24503313 misc optional mysql-5.1_5.1.62.orig.tar.gz
 e4302a82cc96f8f7e54a690132bd996d 299355 misc optional mysql-5.1_5.1.62-1.diff.gz
 90a1113ebe14024fb53181aade708c18 76498 database optional mysql-common_5.1.62-1_all.deb
 0c2c1c80cc9e1db4c66793c4bb3a61d0 70410 database optional mysql-server_5.1.62-1_all.deb
 8bec704b4311e83e9c38497689ceef54 70278 database optional mysql-client_5.1.62-1_all.deb
 df19404dbc7fa482450ced1c906a3f10 1923966 libs optional libmysqlclient16_5.1.62-1_i386.deb
 94015bced923baaf239e8db35288c13a 4287966 libdevel optional libmysqld-pic_5.1.62-1_i386.deb
 8162e4a51ad01385d0e9152e1f77003d 5524768 libdevel optional libmysqld-dev_5.1.62-1_i386.deb
 dbb6f7132e9176d077e1f958e3868aee 3093638 libdevel optional libmysqlclient-dev_5.1.62-1_i386.deb
 30cd0fe0dc5611a59159825ba887c3d1 9598412 misc optional mysql-client-5.1_5.1.62-1_i386.deb
 a642b33ae6f60077a7f595af85d5c4ba 3989442 misc optional mysql-server-core-5.1_5.1.62-1_i386.deb
 7177ddfd81424decba79584fd2eb9d02 6535068 misc optional mysql-server-5.1_5.1.62-1_i386.deb
 ae0cf2268d3739d124d34b70cc9a7f30 25029334 misc optional mysql-source-5.1_5.1.62-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPoQ55AAoJELbE2bY7/+c84b0QANQSHlRYnl1DSkSK660kwMps
JfGvcWStrx8IyVHL3WSsOiej1aMVoDFowTtNmfqpTTG/6LMH5YFz5qSbUBTMCHG5
TfhDkGaxlo0ocWwGR/hGZuJ9V87M2INObOsX5MYk8BVvXQNvRyNN3fc894OCFizN
WozSEEiLx+2eQ5yxYMTZH4/69jcCNJy2QmyWKfsOEeISgmVlUZcsJ9H9rUfhQfRf
jTqxx3cIvwkyjCgWZnbKGhj8Lh6HvxlANa4d5FtN0u22ZpcVJ760TanZFyeqiN3q
bKzlK7gFNPhSUH8fsnLBB52sWQg5ywi6RJmzvp/DN+oJ42xnUTP8ANfS5Wn9oCIL
qvLbp7gZDJj3Qb71Cuvohlz4mgWqVFryYyna3PDJF4eBM4AmRXQS4g7i1zD0NEoi
Hh/d+AZyqkyt98u4bHvKex4MtNQLYV5mEuLHcQ5BkUMIvzNrt17R5g7TBdw5Tf1g
NnONtvT1ELK2pjWNPT/udko11PGpcqbMhd4QnCsvsOuVHU5D4wocl2g43PNBFlx8
Uo4I3cFy7RDBofvOjNfxKoAIeDLTTGrfW4/zmwfgDxI6qlBpD33MRNT4xHD72YtO
OPWyb/xIoyVBbxpNgc3ePGTCmDVhASGTpHktVJksDz1Tbl5g5uBnPkm18fSyRhit
lfAjkwPb1+SBM4Y7w1JQ
=FUtV
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#670636; Package mysql-5.1. (Tue, 15 May 2012 16:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Babut <tbabut@mobileobjects.de>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 15 May 2012 16:33:02 GMT) Full text and rfc822 format available.

Message #27 received at 670636@bugs.debian.org (full text, mbox):

From: Thomas Babut <tbabut@mobileobjects.de>
To: 670636@bugs.debian.org
Subject: Multiple security issues in April security release
Date: Tue, 15 May 2012 18:31:21 +0200
What about Debian Squeeze? Are you planning to provide fixed mysql
packages for the current stable release of Debian, too?

Thanks.

-- 
Mit freundlichen Gruessen / Kind regards,
Thomas Babut




Added tag(s) pending. Request was from Clint Byrum <spamaps-guest@alioth.debian.org> to control@bugs.debian.org. (Tue, 12 Jun 2012 12:51:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#670636; Package mysql-5.1. (Mon, 16 Jul 2012 15:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arne Wichmann <aw@anhrefn.saar.de>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 16 Jul 2012 15:03:06 GMT) Full text and rfc822 format available.

Message #34 received at 670636@bugs.debian.org (full text, mbox):

From: Arne Wichmann <aw@anhrefn.saar.de>
To: 670636@bugs.debian.org, control@bugs.debian.org
Subject: April security release - fixed in stable-security
Date: Mon, 16 Jul 2012 16:49:06 +0200
[Message part 1 (text/plain, inline)]
fixed 670636 5.1.63-0+squeeze1
thanks

670636 is fixed in stable-security (shouldn't it really be closed now?)

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions 5.1.63-0+squeeze1. Request was from Arne Wichmann <aw@anhrefn.saar.de> to control@bugs.debian.org. (Mon, 16 Jul 2012 15:03:08 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:41:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:48:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.