RHSA-2016:1601

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

91787

91943

1036362

USN-3040-1

RHSA-2016:1132

https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10114-release-notes/

mysql-community-server was updated to 5.6.34 to fix the following issues :

  - Changes     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     34.html     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     33.html     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     32.html     http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-     31.html

  - fixed CVEs: CVE-2016-6304, CVE-2016-6662, CVE-2016-7440,     CVE-2016-5584, CVE-2016-5617, CVE-2016-5616,     CVE-2016-5626, CVE-2016-3492, CVE-2016-5629,     CVE-2016-5507, CVE-2016-8283, CVE-2016-5609,     CVE-2016-5612, CVE-2016-5627, CVE-2016-5630,     CVE-2016-8284, CVE-2016-8288, CVE-2016-3477,     CVE-2016-2105, CVE-2016-3486, CVE-2016-3501,     CVE-2016-3521, CVE-2016-3615, CVE-2016-3614,     CVE-2016-3459, CVE-2016-5439, CVE-2016-5440

  - fixes SUSE Bugs: [boo#999666], [boo#998309],     [boo#1005581], [boo#1005558], [boo#1005563],     [boo#1005562], [boo#1005566], [boo#1005555],     [boo#1005569], [boo#1005557], [boo#1005582],     [boo#1005560], [boo#1005561], [boo#1005567],     [boo#1005570], [boo#1005583], [boo#1005586],     [boo#989913], [boo#977614], [boo#989914], [boo#989915],     [boo#989919], [boo#989922], [boo#989921], [boo#989911],     [boo#989925], [boo#989926]

  - append '--ignore-db-dir=lost+found' to the mysqld     options in 'mysql-systemd-helper' script if 'lost+found'     directory is found in $datadir [boo#986251] 

  - remove syslog.target from *.service files [boo#983938]

  - add systemd to deps to build on leap and friends 

  - replace '%{_libexecdir}/systemd/system' with %{_unitdir}     macro

  - remove useless mysql@default.service [boo#971456]

  - replace all occurrences of the string '@sysconfdir@'     with '/etc' in     mysql-community-server-5.6.3-logrotate.patch as it     wasn't expanded properly [boo#990890]

  - remove '%define _rundir' as 13.1 is out of support scope

  - run 'usermod -g mysql mysql' only if mysql user is not     in mysql group. Run 'usermod -s /bin/false/ mysql' only     if mysql user doesn't have '/bin/false' shell set.

  - re-enable mysql profiling

The specific version of MySQL Server that the system is running is reportedly affected by the following vulnerabilities:

- Oracle MySQL Server contains an unspecified flaw related to the FTS subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-3486)

- Oracle MySQL Server contains an unspecified flaw related to the Optimizer subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-3501)

- Oracle MySQL Server contains an unspecified flaw related to the Encryption subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-3614)

- Oracle MySQL Server contains an unspecified flaw related to the InnoDB subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-3459)

- Oracle MySQL Server contains an unspecified flaw related to the Privileges subcomponent. This may allow an authenticated attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-5439)

The version of MySQL installed on the remote host is 5.5.x prior to 5.5.50, 5.6.x prior to 5.6.31, or 5.7.x prior to 5.7.13. It is therefore affected by vulnerabilities in the following components :

 - Connection
 - Data Manipulation Language
 - Encryption
 - Full-Text Search
 - InnoDB
 - Optimizer
 - Parser
 - Privileges
 - Row-Based Replication
 - Replication
 - Types

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. (CVE-2016-5440)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB. (CVE-2016-3459)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related to Server: Privileges. (CVE-2016-5439)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. (CVE-2016-3477)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote authenticated users to affect availability via vectors related to Server: Security: Encryption. (CVE-2016-3614)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote authenticated users to affect availability via vectors related to Server: DML. (CVE-2016-3615)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. (CVE-2016-3521)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote authenticated users to affect availability via vectors related to Server: FTS. (CVE-2016-3486)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. (CVE-2016-3501)

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.50 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 15.10 has been updated to MySQL 5.6.31. Ubuntu 16.04 LTS has been updated to MySQL 5.7.13.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-50.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-31.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-13.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720 .html.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Oracle reports :

The quarterly Critical Patch Update contains 22 new security fixes for Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier

The version of MySQL running on the remote host is 5.7.x prior to 5.7.13. It is, therefore, affected by multiple vulnerabilities :

  - A heap buffer overflow condition exists in the     EVP_EncodeUpdate() function within file     crypto/evp/encode.c that is triggered when handling     a large amount of input data. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2016-2105)

  - Multiple unspecified flaws exist in the Optimizer     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3424, CVE-2016-3440, CVE-2016-3501,     CVE-2016-3518)

  - An unspecified flaw exists in the Security: Encryption     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-3452)

  - Multiple unspecified flaws exist in the InnoDB     subcomponent that allow an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3459, CVE-2016-5436)

  - An unspecified flaw exists in the Parser subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-3477)

  - An unspecified flaw exists in the FTS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3486)

  - An unspecified flaw exists in the Types subcomponent     that allows an authenticated, remote attacker to cause     a denial of service condition. (CVE-2016-3521)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to impact     integrity and confidentiality. (CVE-2016-3588)

  - Multiple unspecified flaws exist in the Security:
    Encryption subcomponent that allow an authenticated,     remote attacker to cause a denial of service condition.
    (CVE-2016-3614, CVE-2016-5442)

  - An unspecified flaw exists in the DML subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3615)

  - An unspecified flaw exists in the Log subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5437)

  - An unspecified flaw exists in the Privileges     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-5439)

  - An unspecified flaw exists in the RBR subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5440)

  - An unspecified flaw exists in the Replication     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-5441)

  - An unspecified flaw exists in the Connection     subcomponent that allows a local attacker to cause a     denial of service condition. (CVE-2016-5443)

  - An unspecified flaw exists in the Connection     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-5444)

  - An unspecified flaw exists in the InnoDB Plugin     subcomponent that allows an authenticated, remote     attacker to impact integrity. (CVE-2016-8288)

  - Multiple flaws exist in InnoDB that are triggered when     handling specially crafted 'ALTER TABLE' operations. An     authenticated, remote attacker can exploit these issues     to crash the database, resulting in a denial of service     condition.

  - Multiple overflow conditions exist due to improper     validation of user-supplied input. An authenticated,     remote attacker can exploit these issues to cause a     denial of service condition or the execution of     arbitrary code.

  - A NULL pointer dereference flaw exists in a parser     structure that is triggered during the validation of     stored procedure names. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - Multiple overflow conditions exist in the InnoDB     memcached plugin due to improper validation of     user-supplied input. An authenticated, remote attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code.

  - An unspecified flaw exists that is triggered when     invoking Enterprise Encryption functions in multiple     threads simultaneously or after creating and dropping     them. An authenticated, remote attacker can exploit this     to crash the database, resulting in a denial of service     condition.

  - An unspecified flaw exists that is triggered when     handling a 'SELECT ... GROUP BY ... FOR UPDATE' query     executed with a loose index scan. An authenticated,     remote attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - An unspecified flaw exists that is triggered when     performing a 'FLUSH TABLES' operation on a table with a     discarded tablespace. An authenticated, remote attacker     can exploit this to crash the database, resulting in a     denial of service condition.

  - A flaw exists in InnoDB that is triggered when     performing an 'OPTIMIZE TABLE' operation on a table with     a full-text index. An authenticated, remote attacker can     exploit this to crash the database, resulting in a     denial of service condition.

  - An unspecified flaw exists that is triggered when     performing an UPDATE operation on a generated virtual     BLOB column. An authenticated, remote attacker can     exploit this to crash the database, resulting in a     denial of service condition.

  - An unspecified flaw exists that is triggered when     performing a 'SHOW CREATE TABLE' operation on a table     with a generated column. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MySQL running on the remote host is 5.6.x prior to 5.6.31. It is, therefore, affected by multiple vulnerabilities :

  - A heap buffer overflow condition exists in the     EVP_EncodeUpdate() function within file     crypto/evp/encode.c that is triggered when handling     a large amount of input data. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2016-2105)

  - An unspecified flaw exists in the Security: Encryption     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-3452)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3459)

  - An unspecified flaw exists in the Options subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-3471)

  - An unspecified flaw exists in the Parser subcomponent     that allows a local attacker to gain elevated     privileges. (CVE-2016-3477)

  - An unspecified flaw exists in the FTS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3486)

  - An unspecified flaw exists in the Optimizer subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3501)

  - An unspecified flaw exists in the Types subcomponent     that allows an authenticated, remote attacker to cause     a denial of service condition. (CVE-2016-3521)

  - An unspecified flaw exists in the Security: Encryption     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-3614)

  - An unspecified flaw exists in the DML subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-3615)

  - An unspecified flaw exists in the Privileges     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-5439)

  - An unspecified flaw exists in the RBR subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-5440)

  - An unspecified flaw exists in the Connection     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-5444)

  - An unspecified flaw exists in the InnoDB Plugin     subcomponent that allows an authenticated, remote     attacker to impact integrity. (CVE-2016-8288)

  - Multiple overflow conditions exist due to improper     validation of user-supplied input. An authenticated,     remote attacker can exploit these issues to cause a     denial of service condition or the execution of     arbitrary code.

  - A NULL pointer dereference flaw exists in a parser     structure that is triggered during the validation of     stored procedure names. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - Multiple overflow conditions exist in the InnoDB     memcached plugin due to improper validation of     user-supplied input. An authenticated, remote attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code.

  - An unspecified flaw exists that is triggered when     invoking Enterprise Encryption functions in multiple     threads simultaneously or after creating and dropping     them. An authenticated, remote attacker can exploit this     to crash the database, resulting in a denial of service     condition.

  - An unspecified flaw exists that is triggered when     handling a 'SELECT ... GROUP BY ... FOR UPDATE' query     executed with a loose index scan. An authenticated,     remote attacker can exploit this to crash the database,     resulting in a denial of service condition.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of MariaDB running on the remote host is 10.1.x prior to 10.1.14. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the DML subcomponent that     allows an authenticated, remote attacker to disclose     sensitive information. (CVE-2016-0643)

  - An unspecified flaw exists in the FTS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-0647)

  - An unspecified flaw exists in the PS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-0648)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-0655)

  - An unspecified flaw exists in the Security: Privileges     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-0666)

  - An unspecified flaw exists in the Encryption     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-3452)

  - An unspecified flaw in the InnoDB subcomponent allows an     authenticated, remote attacker to cause a denial of     service condition. (CVE-2016-3459)

  - An unspecified flaw in the Connection subcomponent     allows an unauthenticated, remote attacker to disclose     sensitive information. (CVE-2016-5444)

  - A heap corruption issue exists in the     handle_connections_shared_memory() function in mysqld.cc     due to improper sanitization of user-supplied input. An     authenticated, remote attacker can exploit this to crash     the database, resulting in a denial of service     condition.

  - An overflow condition exists in the     ha_connect::ha_connect() function in ha_connect.cc due     to improper validation of user-supplied input when     when handling partnames. An authenticated, remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.

  - An unspecified flaw exists in sql_insert.cc that is     triggered during the handling of INSERT or REPLACE     DELAYED statements. An authenticated, remote attacker     can exploit this to crash the database, resulting in a     denial of service condition.

  - A flaw exists in the embedded server in the     cli_read_prepare_result() function in libmysql.c that is     triggered when handling a CREATE TABLE statement. An     authenticated, remote attacker can exploit this to crash     the database, resulting in a denial of service     condition.

  - A flaw exists in the acl_load() function in sql_acl.cc     that is triggered when handling user tables. An     authenticated, remote attacker can exploit this to crash     the database, resulting in a denial of service     condition.

  - A flaw exists in the cost_group_min_max() function in     opt_range.cc that is triggered when handling a group by     clause. An authenticated, remote attacker can exploit     this to crash the database, resulting in a denial of     service condition.

  - A flaw exists in the Item_subselect::is_expensive()     function in item_subselect.cc that is triggered when     handling a UNION query. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - A flaw exists in the validate_password() function in     sql_acl.cc that is triggered when handling NULL     passwords. An authenticated, remote attacker can exploit     this to crash the database, resulting in a denial of     service condition.

  - A flaw exists in the Item_func_match::fix_index()     function within file sql/item_func.cc due to improper     handling of a full-text search of the utf8mb4 column.
    An authenticated, remote attacker can exploit this to     crash the database, resulting in a denial of service     condition.

The version of MariaDB running on the remote host is 10.0.x prior to 10.0.25. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the DML subcomponent that     allows an authenticated, remote attacker to disclose     sensitive information. (CVE-2016-0643)

  - An unspecified flaw exists in the FTS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-0647)

  - An unspecified flaw exists in the PS subcomponent that     allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-0648)

  - An unspecified flaw exists in the InnoDB subcomponent     that allows an authenticated, remote attacker to cause a     denial of service condition. (CVE-2016-0655)

  - An unspecified flaw exists in the Security: Privileges     subcomponent that allows an authenticated, remote     attacker to cause a denial of service condition.
    (CVE-2016-0666)

  - An unspecified flaw exists in the Encryption     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-3452)

  - An unspecified flaw in the InnoDB subcomponent allows an     authenticated, remote attacker to cause a denial of     service condition. (CVE-2016-3459)

  - An unspecified flaw in the Connection subcomponent     allows an unauthenticated, remote attacker to disclose     sensitive information. (CVE-2016-5444)

  - An overflow condition exists in the     extension_based_table_discovery() function in     discover.cc due to improper validation of user-supplied     input. An authenticated, remote attacker can exploit     this to cause a denial of service condition or the     execution of arbitrary code.

  - A flaw exists in the mariadb_dyncol_unpack() function in     ma_dyncol.c due to improper validation of user-supplied     input. An authenticated, remote attacker can exploit     this to corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - A flaw exists in the TDBTBM::ResetDB() function in     tabtbl.cpp that is triggered when sorting a TBL table     with a thread set to 'yes'. An authenticated, remote     attacker can exploit this to crash the database,     resulting in a denial of service condition.

  - A heap corruption issue exists in the     handle_connections_shared_memory() function in mysqld.cc     due to improper sanitization of user-supplied input. An     authenticated, remote attacker can exploit this to crash     the database, resulting in a denial of service     condition.

  - An overflow condition exists in the     ha_connect::ha_connect() function in ha_connect.cc due     to improper validation of user-supplied input     when handling partnames. An authenticated, remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.

  - An unspecified flaw exists in sql_insert.cc that is     triggered during the handling of INSERT or REPLACE     DELAYED statements. An authenticated, remote attacker     can exploit this to crash the database, resulting in a     denial of service condition.

  - A flaw exists in the Item_func_match::fix_index()     function within file sql/item_func.cc due to improper     handling of a full-text search of the utf8mb4 column.
    An authenticated, remote attacker can exploit this to     crash the database, resulting in a denial of service     condition.

ID	Name	Product	Family	Severity
94756	openSUSE Security Update : mysql-community-server (openSUSE-2016-1289)	Nessus	SuSE Local Security Checks	critical
94694	openSUSE Security Update : mysql-community-server (openSUSE-2016-1283)	Nessus	SuSE Local Security Checks	critical
802028	MySQL Server < 5.6.x < 5.6.31, 5.7.x < 5.7.13 Multiple Vulnerabilities	Log Correlation Engine	Database	medium
9483	Oracle MySQL 5.5.x < 5.5.50 / 5.6.x < 5.6.31 / 5.7.x < 5.7.13 Multiple Vulnerabilities	Nessus Network Monitor	Database	high
93015	Amazon Linux AMI : mysql56 (ALAS-2016-737)	Nessus	Amazon Linux Local Security Checks	medium
92511	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : mysql-5.5, mysql-5.6, mysql-5.7 vulnerabilities (USN-3040-1)	Nessus	Ubuntu Local Security Checks	medium
92505	FreeBSD : MySQL -- Multiple vulnerabilities (ca5cb202-4f51-11e6-b2ec-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	high
91997	MySQL 5.7.x < 5.7.13 Multiple Vulnerabilities	Nessus	Databases	high
91995	MySQL 5.6.x < 5.6.31 Multiple Vulnerabilities	Nessus	Databases	high
91998	Oracle MySQL 5.7.x < 5.7.13 Multiple Vulnerabilities	Nessus	Databases	high
91996	Oracle MySQL 5.6.x < 5.6.31 Multiple Vulnerabilities	Nessus	Databases	high
91766	MariaDB 10.1.x < 10.1.14 Multiple Vulnerabilities	Nessus	Databases	high
91765	MariaDB 10.0.x < 10.0.25 Multiple Vulnerabilities	Nessus	Databases	high

CVE-2016-3459

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins