Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: MySQL 0-day - does it need a CVE?
From: Solar Designer <solar () openwall com>
Date: Sat, 11 Feb 2012 12:50:47 +0400

On Fri, Feb 10, 2012 at 12:36:46AM +0400, Solar Designer wrote:
The table at the bottom of:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

lists 27 MySQL vulnerabilities, all with CVE IDs and CVSS scoring - but
little other info.

Here's a more direct link:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixMSQL

(e.g. for referring to in distro advisories).

News story summarizing the problem (in Russian, sorry):

http://www.opennet.ru/opennews/art.shtml?num=33051

It also mentions that Oracle Linux merely reuses RHEL's updates to
MySQL without any reference to Oracle's own MySQL vulnerability/fix
info.  So it is not even clear whether Oracle Linux has these 27 bugs in
MySQL fixed or not, despite of MySQL being an Oracle product.

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]