Bug 1153483 (CVE-2014-6491)

Summary: CVE-2014-6491 mysql: unspecified vulnerability related to SERVER:SSL:yaSSL (CPU October 2014)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, byte, carnil, chrisw, dallan, databases-maint, gkotton, hhorak, jdornak, jorton, jstanek, lhh, lpeer, markmc, mmaslano, mmuzila, rbryant, rohara, sclewis, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-16 08:06:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1153468    

Description Murray McAllister 2014-10-16 05:37:46 UTC
The following issue has been fixed in MySQL:

"Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier
and 5.6.20 and earlier allows remote attackers to affect
confidentiality, integrity, and availability via vectors related to
SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500."

References:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Comment 1 Tomas Hoger 2014-10-16 08:06:27 UTC
MySQL packages in Red Hat Enterprise Linux and Fedora are built against system OpenSSL and do not use bundled yaSSL.  Hence they can not be affected by any yaSSL issues.

Statement:

This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they use system OpenSSL library rather than yaSSL.