Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Sep 2010 14:58:55 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Tom Lane <tgl@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- MySQL v5.1.49 -- multiple DoS
 flaws

Any update on these Steve? I've gotten a few questions about assignments.

Thanks.

-- 
    JB


----- "Josh Bressers" <bressers@...hat.com> wrote:

> Steve,
> 
> Can you handle this one? It's bigger than a breadbasket and I
> currently
> lack time to sort them all out.
> 
> Thanks.
> 
> -- 
>     JB
> 
> 
> ----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote:
> 
> > Hi Steve, vendors,
> > 
> >    MySQL upstream yet on 2010-07-09 released version v5.1.49 of
> their
> > Community Server,
> > addressing couple of denial of service flaws (crashes and assertion
> > failures):
> > [1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-49.html
> > 
> > 1, Security Fix: After changing the values of the
> innodb_file_format
> > or
> >                   innodb_file_per_table configuration parameters,
> DDL
> > statements
> >                   could cause a server crash. (Bug#55039)
> >     References:   http://bugs.mysql.com/bug.php?id=55039
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628660
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 2, Security Fix: Joins involving a table with a unique SET column
> > could cause
> >                   a server crash. (Bug#54575)
> >     References:   http://bugs.mysql.com/bug.php?id=54575
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628040
> >     Reason:       NULL pointer dereference leading to (temporary)
> > server DoS.
> > 
> > 3, Security Fix: Incorrect handling of NULL arguments could lead to
> a
> > crash
> >                   for IN() or CASE operations when NULL arguments
> were
> > either
> >                   passed explicitly as arguments (for IN()) or
> > implicitly
> >                   generated by the WITH ROLLUP  modifier (for IN()
> and
> > CASE).
> >                   (Bug#54477)
> >     References:   http://bugs.mysql.com/bug.php?id=54477
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628172
> >     Reason:       NULL pointer dereference leading to (temporary)
> > server DoS.
> > 
> > 4, Security Fix: A malformed argument to the BINLOG statement could
> > result
> >                   in Valgrind warnings or a server crash.
> (Bug#54393)
> >     References:   http://bugs.mysql.com/bug.php?id=54393
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628062
> >     Reason:       Use of unassigned memory leading to (temporary)
> > server DoS (crash).
> > 
> > 5, Security Fix: Use of TEMPORARY  InnoDB tables with nullable
> columns
> > could cause
> >                   a server crash. (Bug#54044)
> >     References:   http://bugs.mysql.com/bug.php?id=54044
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628192
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 6, Security Fix: The server could crash if there were alternate
> reads
> > from
> >                   two indexes on a table using the HANDLER
> interface.
> > (Bug#54007)
> >     References:   http://bugs.mysql.com/bug.php?id=54007
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628680
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 7, Security Fix: Using EXPLAIN with queries of the form SELECT ...
> > UNION
> >                   ... ORDER BY (SELECT ... WHERE ...) could cause a
> > server
> >                   crash. (Bug#52711)
> >     References:   http://bugs.mysql.com/bug.php?id=52711
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628328
> >     Reason:       NULL pointer dereference leading to (temporary)
> > server DoS.
> > 
> > 8, Security Fix: LOAD DATA INFILE did not check for SQL errors and
> > sent an
> >                   OK packet even when errors were already reported.
> > Also, an
> >                   assert related to client-server protocol checking
> in
> > debug
> >                   servers sometimes was raised when it should not
> have
> > been.
> >                   (Bug#52512)
> >     References:   http://bugs.mysql.com/bug.php?id=52512
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628698
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 
> > It does not seem, CVE identifiers have been requested / assigned to
> > these issues
> > yet (either went unnoticed or not serious enough the get separate
> CVE
> > ids
> > [as it is possible on many distributions the majority of them would
> > mean only
> > temporary denial of service]).
> > 
> > Steve, if 'went unnoticed' is the case, could you please assign CVE
> > identifiers
> > for these?
> > 
> > Common references:
> > [2] http://secunia.com/advisories/41048/
> > 
> > Thanks && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Response Team
> > 
> > P.S.: There is one crash due OOM killer issue yet:
> >        [3] http://bugs.mysql.com/bug.php?id=42064
> >        but that one is not something we would consider as being of
> a
> > security issue.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ