Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 18:05:11 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: MySQL: MyISAM temporary file issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Sep 16, 2014 at 10:15:43AM -0400, Marc Deslauriers wrote:
> On 14-09-11 10:39 AM, Tomas Hoger wrote:
> > On Wed, 10 Sep 2014 10:28:53 -0700 Ritwik Ghoshal wrote:
> > 
> >> Please use CVE-2014-4274 for this issue.
> >>
> >> Please send an email to secalert_us@...cle.com to contact Oracle for
> >> any security vulnerability related issues.
> > 
> > As pointed out in this Gentoo bug, release notes for the mentioned
> > MySQL versions list another issue that seems to be security:
> > 
> > https://bugs.gentoo.org/show_bug.cgi?id=518718
> > 
> > 3) An off-by-one error related to certificate decoding in yaSSL can be
> > exploited to cause a buffer overflow.
> 
> There is also mention of:
> 
> "Clients could determine based on connection error message content whether an
> account existed. (Bug #16513435, Bug #17357528, Bug #19273967)"
> 
> I believe this is the fix for CVE-2012-5615, and is fixed with the following commit:
> 
> http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4676
> 
> Marc.
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlQYUacACgkQXf6hBi6kbk9miwCgxs1bkE4GldQy/dBlF8CBdXOE
DoYAnRfG9bhaXmdCZFufnLSBZMKuW3fn
=e8Ky
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ