Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 11 Feb 2012 12:50:47 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: MySQL 0-day - does it need a CVE?

On Fri, Feb 10, 2012 at 12:36:46AM +0400, Solar Designer wrote:
> The table at the bottom of:
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
> 
> lists 27 MySQL vulnerabilities, all with CVE IDs and CVSS scoring - but
> little other info.

Here's a more direct link:

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixMSQL

(e.g. for referring to in distro advisories).

News story summarizing the problem (in Russian, sorry):

http://www.opennet.ru/opennews/art.shtml?num=33051

It also mentions that Oracle Linux merely reuses RHEL's updates to
MySQL without any reference to Oracle's own MySQL vulnerability/fix
info.  So it is not even clear whether Oracle Linux has these 27 bugs in
MySQL fixed or not, despite of MySQL being an Oracle product.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.