Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Sep 2010 14:58:55 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Tom Lane <tgl@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- MySQL v5.1.49 -- multiple DoS
 flaws

Any update on these Steve? I've gotten a few questions about assignments.

Thanks.

-- 
    JB


----- "Josh Bressers" <bressers@...hat.com> wrote:

> Steve,
> 
> Can you handle this one? It's bigger than a breadbasket and I
> currently
> lack time to sort them all out.
> 
> Thanks.
> 
> -- 
>     JB
> 
> 
> ----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote:
> 
> > Hi Steve, vendors,
> > 
> >    MySQL upstream yet on 2010-07-09 released version v5.1.49 of
> their
> > Community Server,
> > addressing couple of denial of service flaws (crashes and assertion
> > failures):
> > [1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-49.html
> > 
> > 1, Security Fix: After changing the values of the
> innodb_file_format
> > or
> >                   innodb_file_per_table configuration parameters,
> DDL
> > statements
> >                   could cause a server crash. (Bug#55039)
> >     References:   http://bugs.mysql.com/bug.php?id=55039
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628660
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 2, Security Fix: Joins involving a table with a unique SET column
> > could cause
> >                   a server crash. (Bug#54575)
> >     References:   http://bugs.mysql.com/bug.php?id=54575
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628040
> >     Reason:       NULL pointer dereference leading to (temporary)
> > server DoS.
> > 
> > 3, Security Fix: Incorrect handling of NULL arguments could lead to
> a
> > crash
> >                   for IN() or CASE operations when NULL arguments
> were
> > either
> >                   passed explicitly as arguments (for IN()) or
> > implicitly
> >                   generated by the WITH ROLLUP  modifier (for IN()
> and
> > CASE).
> >                   (Bug#54477)
> >     References:   http://bugs.mysql.com/bug.php?id=54477
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628172
> >     Reason:       NULL pointer dereference leading to (temporary)
> > server DoS.
> > 
> > 4, Security Fix: A malformed argument to the BINLOG statement could
> > result
> >                   in Valgrind warnings or a server crash.
> (Bug#54393)
> >     References:   http://bugs.mysql.com/bug.php?id=54393
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628062
> >     Reason:       Use of unassigned memory leading to (temporary)
> > server DoS (crash).
> > 
> > 5, Security Fix: Use of TEMPORARY  InnoDB tables with nullable
> columns
> > could cause
> >                   a server crash. (Bug#54044)
> >     References:   http://bugs.mysql.com/bug.php?id=54044
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628192
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 6, Security Fix: The server could crash if there were alternate
> reads
> > from
> >                   two indexes on a table using the HANDLER
> interface.
> > (Bug#54007)
> >     References:   http://bugs.mysql.com/bug.php?id=54007
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628680
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 7, Security Fix: Using EXPLAIN with queries of the form SELECT ...
> > UNION
> >                   ... ORDER BY (SELECT ... WHERE ...) could cause a
> > server
> >                   crash. (Bug#52711)
> >     References:   http://bugs.mysql.com/bug.php?id=52711
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628328
> >     Reason:       NULL pointer dereference leading to (temporary)
> > server DoS.
> > 
> > 8, Security Fix: LOAD DATA INFILE did not check for SQL errors and
> > sent an
> >                   OK packet even when errors were already reported.
> > Also, an
> >                   assert related to client-server protocol checking
> in
> > debug
> >                   servers sometimes was raised when it should not
> have
> > been.
> >                   (Bug#52512)
> >     References:   http://bugs.mysql.com/bug.php?id=52512
> >                  
> https://bugzilla.redhat.com/show_bug.cgi?id=628698
> >     Reason:       Assertion failure leading to server abort.
> > 
> > 
> > It does not seem, CVE identifiers have been requested / assigned to
> > these issues
> > yet (either went unnoticed or not serious enough the get separate
> CVE
> > ids
> > [as it is possible on many distributions the majority of them would
> > mean only
> > temporary denial of service]).
> > 
> > Steve, if 'went unnoticed' is the case, could you please assign CVE
> > identifiers
> > for these?
> > 
> > Common references:
> > [2] http://secunia.com/advisories/41048/
> > 
> > Thanks && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Response Team
> > 
> > P.S.: There is one crash due OOM killer issue yet:
> >        [3] http://bugs.mysql.com/bug.php?id=42064
> >        but that one is not something we would consider as being of
> a
> > security issue.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.