Debian Bug report logs - #677018
mysql-5.1: CVE-2012-2122: MySQL authentication bypass

version graph

Package: mysql-5.1; Maintainer for mysql-5.1 is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>;

Reported by: Henri Salo <henri@nerv.fi>

Date: Mon, 11 Jun 2012 08:09:02 UTC

Severity: serious

Tags: security

Found in version 5.1.61-0+squeeze1

Fixed in version 5.1.62-1+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Mon, 11 Jun 2012 08:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 11 Jun 2012 08:09:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: mysql-5.1: CVE-2012-2122: MySQL authentication bypass
Date: Mon, 11 Jun 2012 11:04:33 +0300
Package: mysql-5.1
Version: 5.1.61-0+squeeze1
Severity: important
Tags: security

http://seclists.org/oss-sec/2012/q2/493
https://www.secmaniac.com/blog/2012/06/11/massive-mysql-authentication-bypass-exploit/

I haven't verified this as I do not have time at the moment.

References from the email:

References:

MariaDB bug report: https://mariadb.atlassian.net/browse/MDEV-212
MariaDB fix: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3144
MySQL bug report: http://bugs.mysql.com/bug.php?id=64884
MySQL fix: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
MySQL changelog: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.4.1 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Mon, 11 Jun 2012 08:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 11 Jun 2012 08:15:08 GMT) Full text and rfc822 format available.

Message #10 received at 677018@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 677018@bugs.debian.org
Subject: more info
Date: Mon, 11 Jun 2012 11:11:01 +0300
This https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql says:

"""
Feedback so far indicates the following platforms are NOT vulnerable:
Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
Debian Linux lenny 32-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
Debian Linux lenny 64-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
Debian Linux lenny 64-bit 5.1.51-1-log ( via @matthewbloch )
Debian Linux squeeze 64-bit 5.1.49-3-log ( via @matthewbloch )
Debian Linux squeeze 32-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
Debian Linux squeeze 64-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
"""




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Mon, 11 Jun 2012 19:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 11 Jun 2012 19:03:08 GMT) Full text and rfc822 format available.

Message #15 received at 677018@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 677018@bugs.debian.org
Subject: mysql-5.1: CVE-2012-2122: MySQL authentication bypass
Date: Mon, 11 Jun 2012 21:02:05 +0200
Hi,

I have done several tries on several systems (lenny, squeeze,
squeeze-without-DSA-2429, wheezy) and am not able to reproduce the issue.
Others report a similar experience. I don't dare to say yet with certainty
that no version of MySQL in any Debian release is vulnerable, but I have
not been able to find one yet.

Cheers,
Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Tue, 12 Jun 2012 04:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 12 Jun 2012 04:00:03 GMT) Full text and rfc822 format available.

Message #20 received at 677018@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 677018@bugs.debian.org
Cc: pkg-mysql-maint@lists.alioth.debian.org
Subject: more information
Date: Tue, 12 Jun 2012 06:57:10 +0300
I am unable to reproduce this issue in Debian stable, but I am not closing this bug-report yet as this is so serious issue that I would like someone else to verify this. I only tested in squeeze.

- Henri Salo




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Tue, 12 Jun 2012 08:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 12 Jun 2012 08:03:07 GMT) Full text and rfc822 format available.

Message #25 received at 677018@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Henri Salo <henri@nerv.fi>, 677018@bugs.debian.org
Cc: pkg-mysql-maint@lists.alioth.debian.org
Subject: Re: [debian-mysql] Bug#677018: more information
Date: Tue, 12 Jun 2012 08:57:28 +0100
Henri,
	I seem to recall that this bug is fixed in 5.5.24 which actually is in
testing. The migration is not yet complete and probably still has a week
or two to go at the least. But does that change your calculations at all.

On 12/06/12 04:57, Henri Salo wrote:
> I am unable to reproduce this issue in Debian stable, but I am not closing this bug-report yet as this is so serious issue that I would like someone else to verify this. I only tested in squeeze.
> 
> - Henri Salo
> 
> 
> 
> _______________________________________________
> pkg-mysql-maint mailing list


> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint





Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Tue, 12 Jun 2012 09:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 12 Jun 2012 09:06:06 GMT) Full text and rfc822 format available.

Message #30 received at 677018@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 677018@bugs.debian.org
Subject: Re: [debian-mysql] Bug#677018: more information
Date: Tue, 12 Jun 2012 11:02:40 +0200
Hi Nicholas,

> I seem to recall that this bug is fixed in 5.5.24 which actually is in
> testing. The migration is not yet complete and probably still has a week
> or two to go at the least. But does that change your calculations at all.

Yes, 5.5 seems fixed in both sid and wheezy.

As for 5.1, although our specific builds are not currently vulnerable this
can not be guaranteed if they are rebuilt in different circumstances. Will
5.1 be in wheezy or will it be removed soon? If it's going to stay around
please upload 5.1.63 a.s.a.p.


Cheers,
Thijs





Severity set to 'serious' from 'important' Request was from "Thijs Kinkhorst" <thijs@debian.org> to control@bugs.debian.org. (Tue, 12 Jun 2012 09:06:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Tue, 12 Jun 2012 09:36:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 12 Jun 2012 09:36:19 GMT) Full text and rfc822 format available.

Message #37 received at 677018@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Thijs Kinkhorst <thijs@debian.org>, 677018@bugs.debian.org
Cc: pkg-mysql-maint <pkg-mysql-maint@lists.alioth.debian.org>
Subject: Re: [debian-mysql] Bug#677018: Bug#677018: more information
Date: Tue, 12 Jun 2012 10:34:24 +0100
Thijs,
	No we are planning to remove 5.1 before wheezy is released. I just fear
the timescale is "not soon enough".

On 12/06/12 10:02, Thijs Kinkhorst wrote:
> Hi Nicholas,
> 
>> I seem to recall that this bug is fixed in 5.5.24 which actually is in
>> testing. The migration is not yet complete and probably still has a week
>> or two to go at the least. But does that change your calculations at all.
> 
> Yes, 5.5 seems fixed in both sid and wheezy.
> 
> As for 5.1, although our specific builds are not currently vulnerable this
> can not be guaranteed if they are rebuilt in different circumstances. Will
> 5.1 be in wheezy or will it be removed soon? If it's going to stay around
> please upload 5.1.63 a.s.a.p.
> 
> 
> Cheers,
> Thijs
> 
> 
> 
> 
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint





Added tag(s) pending. Request was from Clint Byrum <spamaps-guest@alioth.debian.org> to control@bugs.debian.org. (Tue, 12 Jun 2012 12:51:16 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Tue, 12 Jun 2012 16:12:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 12 Jun 2012 16:12:14 GMT) Full text and rfc822 format available.

Message #44 received at 677018@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: Nicholas Bamber <nicholas@periapt.co.uk>
Cc: 677018@bugs.debian.org, pkg-mysql-maint@lists.alioth.debian.org
Subject: Re: [debian-mysql] Bug#677018: more information
Date: Tue, 12 Jun 2012 19:10:43 +0300
On Tue, Jun 12, 2012 at 08:57:28AM +0100, Nicholas Bamber wrote:
> Henri,
> 	I seem to recall that this bug is fixed in 5.5.24 which actually is in
> testing. The migration is not yet complete and probably still has a week
> or two to go at the least. But does that change your calculations at all.

What do you mean by calculations? Please close the bug if it is handled. At least running "the oneliner" in Debian squeeze MySQL-server using the client-package squeeze is not affected.

- Henri Salo




Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#677018; Package mysql-5.1. (Tue, 12 Jun 2012 16:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Tue, 12 Jun 2012 16:33:04 GMT) Full text and rfc822 format available.

Message #49 received at 677018@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Henri Salo <henri@nerv.fi>
Cc: 677018@bugs.debian.org, pkg-mysql-maint@lists.alioth.debian.org
Subject: Re: [debian-mysql] Bug#677018: more information
Date: Tue, 12 Jun 2012 17:30:19 +0100
I believe Clint is updating squeeze just to be safe. We will be updating
wheezy just to be safe. Most likely both updates would have happened
anyway.


On 12/06/12 17:10, Henri Salo wrote:
> On Tue, Jun 12, 2012 at 08:57:28AM +0100, Nicholas Bamber wrote:
>> Henri,
>> 	I seem to recall that this bug is fixed in 5.5.24 which actually is in
>> testing. The migration is not yet complete and probably still has a week
>> or two to go at the least. But does that change your calculations at all.
> 
> What do you mean by calculations? Please close the bug if it is handled. At least running "the oneliner" in Debian squeeze MySQL-server using the client-package squeeze is not affected.
> 
> - Henri Salo





Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Thu, 05 Jul 2012 15:59:43 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Thu, 05 Jul 2012 15:59:44 GMT) Full text and rfc822 format available.

Message #54 received at 677018-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 394510-done@bugs.debian.org,412024-done@bugs.debian.org,418648-done@bugs.debian.org,429014-done@bugs.debian.org,444107-done@bugs.debian.org,447494-done@bugs.debian.org,464255-done@bugs.debian.org,513239-done@bugs.debian.org,515143-done@bugs.debian.org,518477-done@bugs.debian.org,536266-done@bugs.debian.org,541796-done@bugs.debian.org,544013-done@bugs.debian.org,550797-done@bugs.debian.org,555803-done@bugs.debian.org,558681-done@bugs.debian.org,565448-done@bugs.debian.org,567498-done@bugs.debian.org,568498-done@bugs.debian.org,572195-done@bugs.debian.org,572202-done@bugs.debian.org,574995-done@bugs.debian.org,574998-done@bugs.debian.org,575213-done@bugs.debian.org,578171-done@bugs.debian.org,578715-done@bugs.debian.org,587426-done@bugs.debian.org,587802-done@bugs.debian.org,588086-done@bugs.debian.org,588217-done@bugs.debian.org,590159-done@bugs.debian.org,593463-done@bugs.debian.org,598828-done@bugs.debian.org,600887-done@bugs.debian.org,602813-done@bugs.debian.org,608973-done@bugs.debian.org,609897-done@bugs.debian.org,610977-done@bugs.debian.org,614320-done@bugs.debian.org,615011-done@bugs.debian.org,617796-done@bugs.debian.org,618487-done@bugs.debian.org,625653-done@bugs.debian.org,628628-done@bugs.debian.org,630625-done@bugs.debian.org,635838-done@bugs.debian.org,644441-done@bugs.debian.org,646841-done@bugs.debian.org,646859-done@bugs.debian.org,647500-done@bugs.debian.org,649204-done@bugs.debian.org,649493-done@bugs.debian.org,654728-done@bugs.debian.org,660006-done@bugs.debian.org,661529-done@bugs.debian.org,663000-done@bugs.debian.org,663060-done@bugs.debian.org,663438-done@bugs.debian.org,663968-done@bugs.debian.org,664846-done@bugs.debian.org,665013-done@bugs.debian.org,667730-done@bugs.debian.org,668593-done@bugs.debian.org,670438-done@bugs.debian.org,672254-done@bugs.debian.org,674211-done@bugs.debian.org,675872-done@bugs.debian.org,677018-done@bugs.debian.org,677057-done@bugs.debian.org,
Cc: mysql-5.1@packages.debian.org, mysql-5.1@packages.qa.debian.org
Subject: Bug#680362: Removed package(s) from unstable
Date: Thu, 05 Jul 2012 15:53:12 +0000
Version: 5.1.62-1+rm

Dear submitter,

as the package mysql-5.1 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/680362

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 03 Aug 2012 07:28:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:25:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.