Bug 832540 (mysql-cpu-2012-07) - mysql: Oracle CPU July 2012
Summary: mysql: Oracle CPU July 2012
Keywords:
Status: CLOSED ERRATA
Alias: mysql-cpu-2012-07
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.oracle.com/technetwork/top...
Whiteboard:
Depends On: CVE-2012-2122 CVE-2012-2749 CVE-2012-2750 CVE-2012-0540 CVE-2012-1689 CVE-2012-1734 CVE-2012-1735 CVE-2012-1756 CVE-2012-1757 871813 871814
Blocks: 833743
TreeView+ depends on / blocked
 
Reported: 2012-06-15 17:05 UTC by Tomas Hoger
Modified: 2019-09-29 12:53 UTC (History)
2 users (show)

Fixed In Version: mysql 5.1.63, mysql 5.5.24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-21 15:19:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Debian BTS 682210 None None None 2012-07-20 13:10:18 UTC
Debian BTS 682212 None None None 2012-07-20 13:10:34 UTC
Gentoo 417989 None None None 2012-07-23 07:30:32 UTC
Novell 771996 None None None 2012-07-19 07:37:20 UTC

Description Tomas Hoger 2012-06-15 17:05:22 UTC
This bug is for Oracle Critical Patch Update Advisory - July 2012 planned to be released on July 17 and that is expected to list several MySQL flaws:

http://www.oracle.com/technetwork/topics/security/alerts-086861.html

So far, MySQL versions 5.1.63, 5.5.23, 5.5.24, and 5.5.25:

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html

were released in the last CPU in April 2012:

http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

which covered fixes in version 5.1.62 and 5.5.22.  Apr 2012 CPU is covered by bug #832477.

This bug attempts to list issues that were already made public via released MySQL versions or bazaar commits.

Comment 1 Tomas Hoger 2012-06-15 17:11:13 UTC
A rather important password verification flaw was disclosed recently and got CVE-2012-2122 assigned.  Refer to bug 814605 for details.

Basic info:
5.1.63 and 5.5.24 release notes mention this security fix:
 * Security Fix: Bug #64884 was fixed.

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

Upstream commit:
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
Bug #13934049: 64884: LOGINS WITH INCORRECT PASSWORD ARE ALLOWED

Comment 2 Tomas Hoger 2012-06-15 17:35:20 UTC
Another security fix mentioned in the 5.1.63 released notes is:

 * Security Fix: Bug #59387 was fixed.

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html

Matching upstream commit is:

http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.16
Bug#11766300 59387: FAILING ASSERTION: CURSOR->POS_STATE == 1997660512 (BTR_PCUR_IS_POSITIONE
Bug#13639204 64111: CRASH ON SELECT SUBQUERY WITH NON UNIQUE INDEX

This issue allows non-admin database user with full SQL access to crash mysqld.

It is also fixed in 5.5.24, but is not mentioned in the release notes or the changelog file bundled in the source tarball.  This issue also affects MySQL 5.0.

Comment 3 Tomas Hoger 2012-06-15 17:37:12 UTC
5.5.23 release notes mention:

 * Security Fix: Bug #59533 was fixed.

http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html

I'm currently unable to find any commit that references mentioned bug.

Comment 4 Tomas Hoger 2012-07-14 13:11:46 UTC
Oracle July CPU to be released on Jul 17 will fix 6 MySQL issues according to the pre-release announcement:
  http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

Comment 5 Tomas Hoger 2012-08-03 09:47:42 UTC
(In reply to comment #0)
> So far, MySQL versions 5.1.63, 5.5.23, 5.5.24, and 5.5.25:
> 
> http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-23.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
> http://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html

Oracle July CPU only describes MySQL issues fixed in versions 5.1.63, 5.5.23, and 5.5.24.  Even though 5.5.25 and 5.5.25a were released before the CPU release, it may mean that they don't include any security fixes or that they will only be announced in the next CPU in October.


Note You need to log in before you can comment on or make changes to this bug.