SUSE-SU-2015:0946

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

1032121

GLSA-201507-19

The remote host is affected by the vulnerability described in GLSA-201507-19 (MySQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MySQL. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could send a specially crafted request, possibly       resulting in execution of arbitrary code with the privileges of the       application or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

MySQL was updated to version 5.5.43 to fix several security and non security issues :

CVEs fixed: CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0405, CVE-2015-0423, CVE-2015-0433, CVE-2015-0438, CVE-2015-0439, CVE-2015-0441, CVE-2015-0498, CVE-2015-0499, CVE-2015-0500, CVE-2015-0501, CVE-2015-0503, CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0508, CVE-2015-0511, CVE-2015-2566, CVE-2015-2567, CVE-2015-2568, CVE-2015-2571, CVE-2015-2573, CVE-2015-2576.

Fix integer overflow in regcomp (Henry Spencer's regex library) for excessively long pattern strings. (bnc#922043, CVE-2015-2305)

For a comprehensive list of changes, refer to <a href='http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html' >http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html</a>.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of MySQL installed on the remote host is version 5.6.x prior to 5.6.24. It is, therefore, affected by errors in the following components :

  - Server : Information Schema (CVE-2015-0500)

  - Server : InnoDB (CVE-2015-0508)

  - Server : InnoDB (CVE-2015-0506)

  - Server : Partition (CVE-2015-0503)

  - Server : Memcached (CVE-2015-0507)

  - Server : Security : Privileges (CVE-2015-2567)

  - Server : SP (CVE-2015-0511)

  - Server : Replication (CVE-2015-0498)

The version of MySQL running on the remote host is version 5.5.x prior to 5.5.43 or version 5.6.x prior to 5.6.24. It is, therefore, potentially affected by unspecified flaws in the following MySQL subcomponents that allow a denial of service by an authenticated, remote attacker :

  - Replication (CVE-2015-0498)
  - Federated (CVE-2015-0499)
  - Information Schema (CVE-2015-0500)
  - Compiling (CVE-2015-0501)
  - Partition (CVE-2015-0503)
  - DDL (CVE-2015-0505)
  - InnoDB (CVE-2015-0506, CVE-2015-0508)
  - Memcached (CVE-2015-0507)
  - SP (CVE-2015-0511)
  - Security : Privileges (CVE-2015-2567)
  - Optimizer (CVE-2015-2571)

ID	Name	Product	Family	Severity
86088	GLSA-201507-19 : MySQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
83860	SUSE SLED11 / SLES11 Security Update : MySQL (SUSE-SU-2015:0946-1) (FREAK)	Nessus	SuSE Local Security Checks	medium
8763	Oracle MySQL 5.6.x < 5.6.24 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium
82800	MySQL 5.5.x < 5.5.43 / 5.6.x < 5.6.24 Multiple DoS Vulnerabilities (April 2015 CPU)	Nessus	Databases	medium

CVE-2015-0508

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium