SUSE-SU-2015:0946

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

1032121

GLSA-201507-19

The remote host is affected by the vulnerability described in GLSA-201507-19 (MySQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MySQL. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could send a specially crafted request, possibly       resulting in execution of arbitrary code with the privileges of the       application or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

MySQL was updated to version 5.5.43 to fix several security and non security issues :

CVEs fixed: CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0405, CVE-2015-0423, CVE-2015-0433, CVE-2015-0438, CVE-2015-0439, CVE-2015-0441, CVE-2015-0498, CVE-2015-0499, CVE-2015-0500, CVE-2015-0501, CVE-2015-0503, CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0508, CVE-2015-0511, CVE-2015-2566, CVE-2015-2567, CVE-2015-2568, CVE-2015-2571, CVE-2015-2573, CVE-2015-2576.

Fix integer overflow in regcomp (Henry Spencer's regex library) for excessively long pattern strings. (bnc#922043, CVE-2015-2305)

For a comprehensive list of changes, refer to <a href='http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html' >http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html</a>.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of MySQL installed on the remote host is version 5.6.x prior to 5.6.23. It is, therefore, affected by errors in the following components :

  - Server : InnoDB (CVE-2015-0439)

  - Server : Optimizer (CVE-2015-0423)

  - Server : Partition (CVE-2015-0438)

  - Server : XA (CVE-2015-0405)

  - Server : DML (CVE-2015-2566)

The version of MySQL running on the remote host is version 5.5.x prior to 5.5.42 or version 5.6.x prior to 5.6.23. It is, therefore, potentially affected by multiple denial of service vulnerabilities :

  - A NULL pointer dereference flaw exists when the SSLv3     option isn't enabled and an SSLv3 ClientHello is     received. This allows a remote attacker, using an     unexpected handshake, to crash the daemon, resulting in     a denial of service. (CVE-2014-3569)

  - Additionally, there are unspecified flaws in the     following MySQL subcomponents that allow a denial of     service by an authenticated, remote attacker :

    - XA (CVE-2015-0405)
    - Optimizer (CVE-2015-0423)
    - InnoDB : DML (CVE-2015-0433)
    - Partition (CVE-2015-0438)
    - InnoDB (CVE-2015-0439)
    - Security : Encryption (CVE-2015-0441)
    - DML (CVE-2015-2566)
    - Security : Privileges (CVE-2015-2568)
    - DDL (CVE-2015-2573)

ID	Name	Product	Family	Severity
86088	GLSA-201507-19 : MySQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
83860	SUSE SLED11 / SLES11 Security Update : MySQL (SUSE-SU-2015:0946-1) (FREAK)	Nessus	SuSE Local Security Checks	medium
8762	Oracle MySQL 5.6.x < 5.6.23 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium
82799	MySQL 5.5.x < 5.5.42 / 5.6.x < 5.6.23 Multiple DoS Vulnerabilities (April 2015 CPU)	Nessus	Databases	medium

CVE-2015-2566

low

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

medium

medium

medium