SB2012081307 - SUSE Linux update for MySQL
Published: August 13, 2012
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2009-5026)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom comments.
2) Input validation error (CVE-ID: CVE-2012-0075)
The vulnerability allows a remote #AU# to manipulate data.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect integrity via unknown vectors.
3) Input validation error (CVE-ID: CVE-2012-0087)
The vulnerability allows a remote #AU# to perform service disruption.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0101 and CVE-2012-0102.
4) Input validation error (CVE-ID: CVE-2012-0101)
The vulnerability allows a remote #AU# to perform service disruption.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0102.
5) Input validation error (CVE-ID: CVE-2012-0102)
The vulnerability allows a remote #AU# to perform service disruption.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0101.
6) Input validation error (CVE-ID: CVE-2012-0114)
The vulnerability allows a local #AU# to read and manipulate data.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect confidentiality and integrity via unknown vectors.
7) Input validation error (CVE-ID: CVE-2012-0484)
The vulnerability allows a remote #AU# to gain access to sensitive information.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect confidentiality via unknown vectors.
8) Input validation error (CVE-ID: CVE-2012-0490)
The vulnerability allows a remote #AU# to perform service disruption.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect availability via unknown vectors.
9) Improper Authentication (CVE-ID: CVE-2012-2122)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
Remediation
Install update from vendor's website.