Versions of mysql before 2.14.0 are vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions. External Reference: https://nodesecurity.io/advisories/602 Upstream Commit: https://github.com/mysqljs/mysql/commit/310c6a7d1b2e14b63b572dbfbfa10128f20c6d52
Created nodejs-mysql tracking bugs for this issue: Affects: epel-all [bug 1578236] Affects: fedora-all [bug 1578235]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.