Date: Tue, 16 Sep 2014 10:15:43 -0400 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com, Ritwik Ghoshal <ritwik.ghoshal@...cle.com> CC: CVE Assignments MITRE <cve-assign@...re.org>, secalert_us@...cle.com Subject: Re: CVE Request: MySQL: MyISAM temporary file issue On 14-09-11 10:39 AM, Tomas Hoger wrote: > On Wed, 10 Sep 2014 10:28:53 -0700 Ritwik Ghoshal wrote: > >> Please use CVE-2014-4274 for this issue. >> >> Please send an email to secalert_us@...cle.com to contact Oracle for >> any security vulnerability related issues. > > As pointed out in this Gentoo bug, release notes for the mentioned > MySQL versions list another issue that seems to be security: > > https://bugs.gentoo.org/show_bug.cgi?id=518718 > > 3) An off-by-one error related to certificate decoding in yaSSL can be > exploited to cause a buffer overflow. There is also mention of: "Clients could determine based on connection error message content whether an account existed. (Bug #16513435, Bug #17357528, Bug #19273967)" I believe this is the fix for CVE-2012-5615, and is fixed with the following commit: http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4676 Marc.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ