openSUSE Security Update : mysql-community-server (openSUSE-2017-555) (Riddle)

high Nessus Plugin ID 100039
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for mysql-community-server to version 5.6.36 fixes the following issues :

These security issues were fixed :

 - CVE-2016-5483: Mysqldump failed to properly quote certain identifiers in SQL statements written to the dump output, allowing for execution of arbitrary commands (bsc#1029014)

 - CVE-2017-3305: MySQL client sent authentication request unencrypted even if SSL was required (aka Ridddle) (bsc#1029396).

 - CVE-2017-3308: Unspecified vulnerability in Server: DML (boo#1034850)

 - CVE-2017-3309: Unspecified vulnerability in Server:
 Optimizer (boo#1034850)

 - CVE-2017-3329: Unspecified vulnerability in Server:
 Thread (boo#1034850)

 - CVE-2017-3453: Unspecified vulnerability in Server:
 Optimizer (boo#1034850)

 - CVE-2017-3456: Unspecified vulnerability in Server: DML (boo#1034850)

 - CVE-2017-3461: Unspecified vulnerability in Server:
 Security (boo#1034850)

 - CVE-2017-3462: Unspecified vulnerability in Server:
 Security (boo#1034850)

 - CVE-2017-3463: Unspecified vulnerability in Server:
 Security (boo#1034850)

 - CVE-2017-3464: Unspecified vulnerability in Server: DDL (boo#1034850)

 - CVE-2017-3302: Crash in libmysqlclient.so (bsc#1022428).

 - CVE-2017-3450: Unspecified vulnerability Server:
 Memcached

 - CVE-2017-3452: Unspecified vulnerability Server:
 Optimizer

 - CVE-2017-3599: Unspecified vulnerability Server:
 Pluggable Auth

 - CVE-2017-3600: Unspecified vulnerability in Client:
 mysqldump (boo#1034850)

 - '--ssl-mode=REQUIRED' can be specified to require a secure connection (it fails if a secure connection cannot be obtained)

These non-security issues were fixed :

 - Set the default umask to 077 in mysql-systemd-helper (boo#1020976)

 - Change permissions of the configuration dir/files to 755/644. Please note that storing the password in the /etc/my.cnf file is not safe. Use for example an option file that is accessible only by yourself (boo#889126)

For more information please see http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html

Solution

Update the affected mysql-community-server packages.

See Also

https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html

https://bugzilla.opensuse.org/show_bug.cgi?id=1020976

https://bugzilla.opensuse.org/show_bug.cgi?id=1022428

https://bugzilla.opensuse.org/show_bug.cgi?id=1029014

https://bugzilla.opensuse.org/show_bug.cgi?id=1029396

https://bugzilla.opensuse.org/show_bug.cgi?id=1034850

https://bugzilla.opensuse.org/show_bug.cgi?id=889126

Plugin Details

Severity: High

ID: 100039

File Name: openSUSE-2017-555.nasl

Version: 3.7

Type: local

Agent: unix

Published: 5/9/2017

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.8

Temporal Score: 6.1

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 7.7

Temporal Score: 6.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libmysql56client18, p-cpe:/a:novell:opensuse:libmysql56client18-32bit, p-cpe:/a:novell:opensuse:libmysql56client18-debuginfo, p-cpe:/a:novell:opensuse:libmysql56client18-debuginfo-32bit, p-cpe:/a:novell:opensuse:libmysql56client_r18, p-cpe:/a:novell:opensuse:libmysql56client_r18-32bit, p-cpe:/a:novell:opensuse:mysql-community-server, p-cpe:/a:novell:opensuse:mysql-community-server-bench, p-cpe:/a:novell:opensuse:mysql-community-server-bench-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-client, p-cpe:/a:novell:opensuse:mysql-community-server-client-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-debugsource, p-cpe:/a:novell:opensuse:mysql-community-server-errormessages, p-cpe:/a:novell:opensuse:mysql-community-server-test, p-cpe:/a:novell:opensuse:mysql-community-server-test-debuginfo, p-cpe:/a:novell:opensuse:mysql-community-server-tools, p-cpe:/a:novell:opensuse:mysql-community-server-tools-debuginfo, cpe:/o:novell:opensuse:42.1, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/8/2017

Reference Information

CVE: CVE-2016-5483, CVE-2017-3302, CVE-2017-3305, CVE-2017-3308, CVE-2017-3309, CVE-2017-3329, CVE-2017-3450, CVE-2017-3452, CVE-2017-3453, CVE-2017-3456, CVE-2017-3461, CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3599, CVE-2017-3600