Debian Bug report logs - #682210
CVE-2012-1735 CVE-2012-0540 CVE-2012-1757 CVE-2012-1756 CVE-2012-1734 CVE-2012-1689

version graph

Package: mysql-5.5; Maintainer for mysql-5.5 is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Fri, 20 Jul 2012 10:21:01 UTC

Severity: grave

Tags: security

Fixed in version 5.5.24+dfsg-1

Done: Nicholas Bamber <nicholas@periapt.co.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#682210; Package mysql-5.5. (Fri, 20 Jul 2012 10:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Fri, 20 Jul 2012 10:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-1735 CVE-2012-0540 CVE-2012-1757 CVE-2012-1756 CVE-2012-1734 CVE-2012-1689
Date: Fri, 20 Jul 2012 12:17:16 +0200
Package: mysql-5.5
Severity: grave
Tags: security

New MySQL security round:

http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

CVE-2012-1735	MySQL Server	MySQL Protocol	Server Optimizer	No	6.8	Network		Low	Single	None  None  Complete  5.5.23 and earlier   
CVE-2012-0540 	MySQL Server 	MySQL Protocol 	GIS Extension 		No 	4.0 	Network 	Low 	Single 	None  None  Partial+  5.1.62 and earlier, 5.5.23 and earlier   
CVE-2012-1757 	MySQL Server 	MySQL Protocol 	InnoDB 			No 	4.0 	Network 	Low 	Single 	None  None  Partial+  5.5.23 and earlier   
CVE-2012-1756 	MySQL Server 	MySQL Protocol 	Server 			No 	4.0 	Network 	Low 	Single 	None  None  Partial+  5.5.23 and earlier    
CVE-2012-1734 	MySQL Server 	MySQL Protocol 	Server Optimizer 	No 	4.0 	Network 	Low 	Single 	None  None  Partial+  5.1.62 and earlier, 5.5.23 and earlier   
CVE-2012-1689 	MySQL Server 	MySQL Protocol 	Server Optimizer 	No 	4.0 	Network 	Low 	Single 	None  None  Partial+  5.1.62 and earlier, 5.5.22 and earlier    

The advisory is confusing, I'm not sure which upstream version fixes these
issues. I'm afraid we'll have to update to a new upstream, though.

Maybe we can switch to a FLOSS-friendly fork like mariadb after Wheezy
release...

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#682210; Package mysql-5.5. (Fri, 20 Jul 2012 16:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olaf van der Spek <ml@vdspek.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Fri, 20 Jul 2012 16:21:02 GMT) Full text and rfc822 format available.

Message #10 received at 682210@bugs.debian.org (full text, mbox):

From: Olaf van der Spek <ml@vdspek.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 682210@bugs.debian.org
Subject: Re: [debian-mysql] Bug#682210: CVE-2012-1735 CVE-2012-0540 CVE-2012-1757 CVE-2012-1756 CVE-2012-1734 CVE-2012-1689
Date: Fri, 20 Jul 2012 18:16:37 +0200
On Fri, Jul 20, 2012 at 12:17 PM, Moritz Muehlenhoff
<muehlenhoff@univention.de> wrote:
> Maybe we can switch to a FLOSS-friendly fork like mariadb after Wheezy
> release...

Postgres might be a better alternative.

-- 
Olaf



Marked as fixed in versions 5.5.24+dfsg-1. Request was from Clint Byrum <clint@ubuntu.com> to control@bugs.debian.org. (Fri, 20 Jul 2012 21:42:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#682210; Package mysql-5.5. (Mon, 23 Jul 2012 11:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 23 Jul 2012 11:09:07 GMT) Full text and rfc822 format available.

Message #17 received at 682210@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 682210@bugs.debian.org, debian-security@lists-debian.org, security@debian.org
Subject: Mysql-5.5
Date: Mon, 23 Jul 2012 11:59:00 +0100
Moritz,
Do you still see any reason to keep this bug report open?



Reply sent to Nicholas Bamber <nicholas@periapt.co.uk>:
You have taken responsibility. (Thu, 26 Jul 2012 07:24:04 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Thu, 26 Jul 2012 07:24:04 GMT) Full text and rfc822 format available.

Message #22 received at 682210-done@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: 682210-done@bugs.debian.org
Cc: debian-security@debian.org
Subject: mysql-5.5
Date: Thu, 26 Jul 2012 08:21:13 +0100
No reply from security team so closing.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 31 Oct 2012 07:26:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:46:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.