Mandriva Linux Security Advisory : mariadb (MDVSA-2014:028)

High Nessus Plugin ID 72495

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Multiple vulnerabilities has been discovered and corrected in mariadb :

Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string (CVE-2014-0001).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB (CVE-2014-0412).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer (CVE-2014-0437).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling (CVE-2013-5908).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication (CVE-2014-0420).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB (CVE-2014-0393).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition (CVE-2013-5891).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer (CVE-2014-0386).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors (CVE-2014-0401).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking (CVE-2014-0402).

The updated packages have been upgraded to the 5.5.35 version which is not vulnerable to these issues.

Solution

Update the affected packages.

CPE: p-cpe:/a:mandriva:linux:lib64mariadb-devel, p-cpe:/a:mandriva:linux:lib64mariadb-embedded-devel, p-cpe:/a:mandriva:linux:lib64mariadb-embedded18, p-cpe:/a:mandriva:linux:lib64mariadb18, p-cpe:/a:mandriva:linux:mariadb, p-cpe:/a:mandriva:linux:mariadb-bench, p-cpe:/a:mandriva:linux:mariadb-client, p-cpe:/a:mandriva:linux:mariadb-common, p-cpe:/a:mandriva:linux:mariadb-common-core, p-cpe:/a:mandriva:linux:mariadb-core, p-cpe:/a:mandriva:linux:mariadb-extra, p-cpe:/a:mandriva:linux:mariadb-feedback, p-cpe:/a:mandriva:linux:mariadb-obsolete, p-cpe:/a:mandriva:linux:mysql-MariaDB, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/02/13

Reference Information

CVE: CVE-2013-5891, CVE-2013-5908, CVE-2014-0001, CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0420, CVE-2014-0437

BID: 64888, 64891

MDVSA: 2014:028

Mandriva Linux Security Advisory : mariadb (MDVSA-2014:028)

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

CVSS v2.0

Vulnerability Information

Reference Information