Bug 789141 (CVE-2012-0882) - CVE-2012-0882 mysql: unspecified remote exploit (released with VulnDisco Pack Professional 9.17)
Summary: CVE-2012-0882 mysql: unspecified remote exploit (released with VulnDisco Pack...
Keywords:
Status: CLOSED CANTFIX
Alias: CVE-2012-0882
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 789142
TreeView+ depends on / blocked
 
Reported: 2012-02-09 22:47 UTC by Vincent Danen
Modified: 2019-09-29 12:50 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-13 10:19:04 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-02-09 22:47:11 UTC
It was reported [1] that VulnDisco Pack Professional 9.17 contains a working remote 0-day exploit against MySQL 5.5.20.  No further information has been provided or is currently available.

Note: Since no further detailed information is currently available about this flaw, Red Hat Security Response Team is actively investigating the progress done on this (both with upstream and the reporter) and will update this record with further information as soon as it is available.

[1] https://lists.immunityinc.com/pipermail/canvas/2012-February/000011.html

Comment 1 Huzaifa S. Sidhpurwala 2012-02-13 10:18:28 UTC
Statement:

We do not currently plan to fix this issue due to the lack of further
information about the flaw and its impact. If more information becomes
available at a future date, we may revisit the issue.

Comment 2 Tomas Hoger 2012-02-24 08:12:19 UTC
Bit more additional info can be found in:

https://lists.immunityinc.com/pipermail/canvas/2012-February/000014.html
http://partners.immunityinc.com/movies/VD-MySQL-5_5_20.mov

Exploit notes shown in the video indicate that the flaw is "yassl buffer overflow".  MySQL packages in Red Hat Enterprise Linux and Fedora do not use yaSSL and are linked against system OpenSSL library to provide SSL.  Hence if this really is a yaSSL flaw, Red Hat Enterprise Linux and Fedora packages should be unaffected.

Comment 3 Vincent Danen 2012-03-05 21:47:13 UTC
This was assigned CVE-2012-0882:

http://www.openwall.com/lists/oss-security/2012/02/24/2


Note You need to log in before you can comment on or make changes to this bug.