openSUSE Security Update : mysql-community-server (openSUSE-2017-555) (Riddle)

high Nessus Plugin ID 100039
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for mysql-community-server to version 5.6.36 fixes the following issues :

These security issues were fixed :

 - CVE-2016-5483: Mysqldump failed to properly quote certain identifiers in SQL statements written to the dump output, allowing for execution of arbitrary commands (bsc#1029014)

 - CVE-2017-3305: MySQL client sent authentication request unencrypted even if SSL was required (aka Ridddle) (bsc#1029396).

 - CVE-2017-3308: Unspecified vulnerability in Server: DML (boo#1034850)

 - CVE-2017-3309: Unspecified vulnerability in Server:
 Optimizer (boo#1034850)

 - CVE-2017-3329: Unspecified vulnerability in Server:
 Thread (boo#1034850)

 - CVE-2017-3453: Unspecified vulnerability in Server:
 Optimizer (boo#1034850)

 - CVE-2017-3456: Unspecified vulnerability in Server: DML (boo#1034850)

 - CVE-2017-3461: Unspecified vulnerability in Server:
 Security (boo#1034850)

 - CVE-2017-3462: Unspecified vulnerability in Server:
 Security (boo#1034850)

 - CVE-2017-3463: Unspecified vulnerability in Server:
 Security (boo#1034850)

 - CVE-2017-3464: Unspecified vulnerability in Server: DDL (boo#1034850)

 - CVE-2017-3302: Crash in libmysqlclient.so (bsc#1022428).

 - CVE-2017-3450: Unspecified vulnerability Server:
 Memcached

 - CVE-2017-3452: Unspecified vulnerability Server:
 Optimizer

 - CVE-2017-3599: Unspecified vulnerability Server:
 Pluggable Auth

 - CVE-2017-3600: Unspecified vulnerability in Client:
 mysqldump (boo#1034850)

 - '--ssl-mode=REQUIRED' can be specified to require a secure connection (it fails if a secure connection cannot be obtained)

These non-security issues were fixed :

 - Set the default umask to 077 in mysql-systemd-helper (boo#1020976)

 - Change permissions of the configuration dir/files to 755/644. Please note that storing the password in the /etc/my.cnf file is not safe. Use for example an option file that is accessible only by yourself (boo#889126)

For more information please see http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html

Solution

Update the affected mysql-community-server packages.

See Also

https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html

https://bugzilla.opensuse.org/show_bug.cgi?id=1020976

https://bugzilla.opensuse.org/show_bug.cgi?id=1022428

https://bugzilla.opensuse.org/show_bug.cgi?id=1029014

https://bugzilla.opensuse.org/show_bug.cgi?id=1029396

https://bugzilla.opensuse.org/show_bug.cgi?id=1034850

https://bugzilla.opensuse.org/show_bug.cgi?id=889126

Plugin Details

Severity: High

ID: 100039

File Name: openSUSE-2017-555.nasl

Version: 3.7

Type: local

Agent: unix

Published: 5/9/2017

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 6.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libmysql56client18, p-cpe:/a:novell:opensuse:libmysql56client18-32bit, p-cpe:/a:novell:opensuse:libmysql56client18-debuginfo, p-cpe:/a:novell:opensuse:libmysql56client18-debuginfo-32bit, p-cpe:/a:novell:opensuse:libmysql56client_r18, p-cpe:/a:novell:opensuse:libmysql56client_r18-32bit, p-cpe:/a:novell:opensuse:mysql-community-server, p-cpe:/a:novell:opensuse:mysql-community-server-bench, p-cpe:/a:novell:opensuse:mysql-community-server-bench-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-client, p-cpe:/a:novell:opensuse:mysql-community-server-client-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-debugsource, p-cpe:/a:novell:opensuse:mysql-community-server-errormessages, p-cpe:/a:novell:opensuse:mysql-community-server-test, p-cpe:/a:novell:opensuse:mysql-community-server-test-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-tools, p-cpe:/a:novell:opensuse:mysql-community-server-tools-debuginfo, cpe:/o:novell:opensuse:42.1, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/8/2017

Reference Information

CVE: CVE-2016-5483, CVE-2017-3302, CVE-2017-3305, CVE-2017-3308, CVE-2017-3309, CVE-2017-3329, CVE-2017-3450, CVE-2017-3452, CVE-2017-3453, CVE-2017-3456, CVE-2017-3461, CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3599, CVE-2017-3600