oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MySQL 0-day - does it need a CVE?

From: Henri Salo <henri () nerv fi>
Date: Fri, 10 Feb 2012 11:54:17 +0200
On Fri, Feb 10, 2012 at 12:36:46AM +0400, Solar Designer wrote:

On Thu, Feb 09, 2012 at 10:09:44PM +0200, Henri Salo wrote:

Oracle MySQL Server CVE-2012-0492 Remote MySQL Server Vulnerability ??? http://www.securityfocus.com/bid/51516


Why this one?

The table at the bottom of:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

lists 27 MySQL vulnerabilities, all with CVE IDs and CVSS scoring - but
little other info.  CVE-2012-0492 is one of them, but it does not stand
out.  (And I have no idea what it actually is, just like I have no idea
about the remaining 26.)

"This Critical Patch Update contains 27 new security fixes for Oracle
MySQL.  1 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need
for a username and password."

That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.

I wish we had more info.

Alexander


Sory for not being clear. I am not sure what the CVE-identifier is as I told in my last email to this thread. New cases 
I have seen: http://security-tracker.debian.org/tracker/CVE-2011-2262 
http://security-tracker.debian.org/tracker/CVE-2012-0492 latter link with a list of "a different vulnerability than". I 
do NOT have any facts about these vulnerabilities. I hope Oracle coordinates issues like these with MITRE/US-CERT and 
adds more information to advisory and CVE after these are 100% public and distros are ready.

- Henri Salo
Previous By Date Next
Previous By Thread Next

Current thread: