mailing list archives
Re: MySQL CVEs (was: Security vulnerability in MySQL/MariaDB sql/password.c)
From: Tomas Hoger <thoger () redhat com>
Date: Mon, 18 Jun 2012 18:50:01 +0200
Hijacking this thread a bit...
On Sat, 9 Jun 2012 17:30:38 +0200 Sergei Golubchik wrote:
MySQL bug report:
In addition to 64884 / CVE-2012-2122 reported by Sergei, 5.1.63 release
notes also mention additional security fix:
* Security Fix: Bug #59387 was fixed.
which can be tracked to the following commit:
This allows non-admin mysql user to crash mysqld. The fix is also in
5.5.24, but it is not mentioned in 5.5.24 releases notes or changelog
file included in the sources. 5.0.x is affected too. Can the CVE be
assigned? I'm CCing Oracle security team explicitly, so they can reply
with their existing assignment (if any), and/or are aware of the new
Additionally, 5.5.23 changes include another security fix:
* Security Fix: Bug #59533 was fixed.
However, I've not had much luck trying to find a commit or any further
info for this issue. Upstream bug is private. Does anyone have any
Additionally, following bugs try to collect info on MySQL security
fixes in the last released and an upcoming Oracle CPU:
It would be nice if Oracle could confirm the mapping between CVEs and
particular issues to avoid any incorrect guesses.
If anyone else has been looking into trying to map Oracle assigned CVEs
to specific changes and has any info missing in the above bugs, feel
free to comment there.
Tomas Hoger / Red Hat Security Response Team