Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 10:15:43 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: oss-security@...ts.openwall.com, 
 Ritwik Ghoshal <ritwik.ghoshal@...cle.com>
CC: CVE Assignments MITRE <cve-assign@...re.org>, secalert_us@...cle.com
Subject: Re: CVE Request: MySQL: MyISAM temporary file issue

On 14-09-11 10:39 AM, Tomas Hoger wrote:
> On Wed, 10 Sep 2014 10:28:53 -0700 Ritwik Ghoshal wrote:
> 
>> Please use CVE-2014-4274 for this issue.
>>
>> Please send an email to secalert_us@...cle.com to contact Oracle for
>> any security vulnerability related issues.
> 
> As pointed out in this Gentoo bug, release notes for the mentioned
> MySQL versions list another issue that seems to be security:
> 
> https://bugs.gentoo.org/show_bug.cgi?id=518718
> 
> 3) An off-by-one error related to certificate decoding in yaSSL can be
> exploited to cause a buffer overflow.

There is also mention of:

"Clients could determine based on connection error message content whether an
account existed. (Bug #16513435, Bug #17357528, Bug #19273967)"

I believe this is the fix for CVE-2012-5615, and is fixed with the following commit:

http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4676

Marc.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ