Debian DSA-2818-1 : mysql-5.5 - several vulnerabilities

Medium Nessus Plugin ID 71474

Synopsis

The remote Debian host is missing a security-related update.

Description

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.5.33, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details :

- http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 32.html
- http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 33.html

In addition this update fixes two issues affecting specifically the mysql-5.5 Debian package :

A race condition in the post-installation script of the mysql-server-5.5 package creates the configuration file '/etc/mysql/debian.cnf' with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials for the debian-sys-maint to perform administration tasks. (CVE-2013-2162 )

Matthias Reichl reported that the mysql-5.5 package misses the patches applied previous in Debian's mysql-5.1 to drop the database 'test' and the permissions that allow anonymous access, without a password, from localhost to the 'test' database and any databases starting with'test_'. This update reintroduces these patches for the mysql-5.5 package.

Existing databases and permissions are not touched. Please refer to the NEWS file provided with this update for further information.

Solution

Upgrade the mysql-5.5 packages.

For the stable distribution (wheezy), these problems have been fixed in version 5.5.33+dfsg-0+wheezy1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732306

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-32.html

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-33.html

https://security-tracker.debian.org/tracker/CVE-2013-2162

https://packages.debian.org/source/wheezy/mysql-5.5

https://www.debian.org/security/2013/dsa-2818

Plugin Details

Severity: Medium

ID: 71474

File Name: debian_DSA-2818.nasl

Version: 1.9

Type: local

Agent: unix

Published: 2013/12/17

Updated: 2018/11/19

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mysql-5.5, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/12/16

Reference Information

CVE: CVE-2013-1861, CVE-2013-2162, CVE-2013-3783, CVE-2013-3793, CVE-2013-3802, CVE-2013-3804, CVE-2013-3809, CVE-2013-3812, CVE-2013-3839, CVE-2013-5807

BID: 58511, 60424, 61210, 61244, 61249, 61260, 61264, 61272, 63105, 63109

DSA: 2818