Red Hat Bugzilla – Full Text Bug Listing
|Summary:||mysql: Oracle CPU July 2012|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||mysql 5.1.63, mysql 5.5.24||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-01-21 10:19:35 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||814605, 833737, 833742, 841349, 841351, 841353, 841354, 841356, 841360, 871813, 871814|
Description Tomas Hoger 2012-06-15 13:05:22 EDT
This bug is for Oracle Critical Patch Update Advisory - July 2012 planned to be released on July 17 and that is expected to list several MySQL flaws: http://www.oracle.com/technetwork/topics/security/alerts-086861.html So far, MySQL versions 5.1.63, 5.5.23, 5.5.24, and 5.5.25: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html http://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html were released in the last CPU in April 2012: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html which covered fixes in version 5.1.62 and 5.5.22. Apr 2012 CPU is covered by bug #832477. This bug attempts to list issues that were already made public via released MySQL versions or bazaar commits.
Comment 1 Tomas Hoger 2012-06-15 13:11:13 EDT
A rather important password verification flaw was disclosed recently and got CVE-2012-2122 assigned. Refer to bug 814605 for details. Basic info: 5.1.63 and 5.5.24 release notes mention this security fix: * Security Fix: Bug #64884 was fixed. http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html Upstream commit: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17 Bug #13934049: 64884: LOGINS WITH INCORRECT PASSWORD ARE ALLOWED
Comment 2 Tomas Hoger 2012-06-15 13:35:20 EDT
Another security fix mentioned in the 5.1.63 released notes is: * Security Fix: Bug #59387 was fixed. http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html Matching upstream commit is: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16 Bug#11766300 59387: FAILING ASSERTION: CURSOR->POS_STATE == 1997660512 (BTR_PCUR_IS_POSITIONE Bug#13639204 64111: CRASH ON SELECT SUBQUERY WITH NON UNIQUE INDEX This issue allows non-admin database user with full SQL access to crash mysqld. It is also fixed in 5.5.24, but is not mentioned in the release notes or the changelog file bundled in the source tarball. This issue also affects MySQL 5.0.
Comment 3 Tomas Hoger 2012-06-15 13:37:12 EDT
5.5.23 release notes mention: * Security Fix: Bug #59533 was fixed. http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html I'm currently unable to find any commit that references mentioned bug.
Comment 4 Tomas Hoger 2012-07-14 09:11:46 EDT
Oracle July CPU to be released on Jul 17 will fix 6 MySQL issues according to the pre-release announcement: http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
Comment 5 Tomas Hoger 2012-08-03 05:47:42 EDT
(In reply to comment #0) > So far, MySQL versions 5.1.63, 5.5.23, 5.5.24, and 5.5.25: > > http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html > http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html > http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html > http://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html Oracle July CPU only describes MySQL issues fixed in versions 5.1.63, 5.5.23, and 5.5.24. Even though 5.5.25 and 5.5.25a were released before the CPU release, it may mean that they don't include any security fixes or that they will only be announced in the next CPU in October.