Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: MySQL 0-day - does it need a CVE?
From: Solar Designer <solar () openwall com>
Date: Fri, 10 Feb 2012 00:36:46 +0400

On Thu, Feb 09, 2012 at 10:09:44PM +0200, Henri Salo wrote:
Oracle MySQL Server CVE-2012-0492 Remote MySQL Server Vulnerability ??? http://www.securityfocus.com/bid/51516

Why this one?

The table at the bottom of:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

lists 27 MySQL vulnerabilities, all with CVE IDs and CVSS scoring - but
little other info.  CVE-2012-0492 is one of them, but it does not stand
out.  (And I have no idea what it actually is, just like I have no idea
about the remaining 26.)

"This Critical Patch Update contains 27 new security fixes for Oracle
MySQL.  1 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need
for a username and password."

That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.

I wish we had more info.

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault