Bug 1702956 (CVE-2018-3123) - CVE-2018-3123 mysql: Server: libmysqld unspecified vulnerability (CPU Apr 2019)
Summary: CVE-2018-3123 mysql: Server: libmysqld unspecified vulnerability (CPU Apr 2019)
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-3123
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190416,repor...
Depends On: 1707103 1707104
Blocks: 1703000
TreeView+ depends on / blocked
 
Reported: 2019-04-25 09:18 UTC by Tomas Hoger
Modified: 2019-06-10 10:54 UTC (History)
21 users (show)

Fixed In Version: mysql 5.6.43, mysql 5.7.25, mysql 8.0.14
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:54:42 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2019-04-25 09:18:15 UTC
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: libmysqld). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Comment 1 Tomas Hoger 2019-05-06 13:51:11 UTC
The MySQL packages shipped as part of the Red Hat Software Collections do not provide libmysqld so they can not be affected by this issue.

The libmysqld was completely removed upstream in MySQL 8.0.1:

https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-1.html
https://mysqlserverteam.com/mysql-8-0-retiring-support-for-libmysqld/

Hence CPU listing MySQL 8.0.13 as affected by this issue seems like a mistake.

MariaDB upstream indicates MariaDB was not affected by this flaw:

https://mariadb.com/kb/en/library/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb/#httpswwworaclecomtechnetworksecurity-advisorycpuapr2019-5072813htmlapril-2019

Comment 2 Tomas Hoger 2019-05-06 13:53:59 UTC
Oracle CPU indicates that this was fixed in MySQL packages released shortly after Jan 2019 CPU, so the fix is already included in the current non-modular community-mysql packages in the current Fedora versions.

Comment 3 Tomas Hoger 2019-05-06 19:55:32 UTC
Created mysql:5.6/community-mysql tracking bugs for this issue:

Affects: fedora-28 [bug 1707103]


Created mysql:5.7/community-mysql tracking bugs for this issue:

Affects: fedora-29 [bug 1707104]


Note You need to log in before you can comment on or make changes to this bug.