Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 10 Feb 2012 11:54:17 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: MySQL 0-day - does it need a CVE?

On Fri, Feb 10, 2012 at 12:36:46AM +0400, Solar Designer wrote:
> On Thu, Feb 09, 2012 at 10:09:44PM +0200, Henri Salo wrote:
> > Oracle MySQL Server CVE-2012-0492 Remote MySQL Server Vulnerability ??? http://www.securityfocus.com/bid/51516
> 
> Why this one?
> 
> The table at the bottom of:
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
> 
> lists 27 MySQL vulnerabilities, all with CVE IDs and CVSS scoring - but
> little other info.  CVE-2012-0492 is one of them, but it does not stand
> out.  (And I have no idea what it actually is, just like I have no idea
> about the remaining 26.)
> 
> "This Critical Patch Update contains 27 new security fixes for Oracle
> MySQL.  1 of these vulnerabilities may be remotely exploitable without
> authentication, i.e., may be exploited over a network without the need
> for a username and password."
> 
> That one is CVE-2011-2262, but per CVSS scoring it's just a DoS.
> 
> I wish we had more info.
> 
> Alexander

Sory for not being clear. I am not sure what the CVE-identifier is as I told in my last email to this thread. New cases I have seen: http://security-tracker.debian.org/tracker/CVE-2011-2262 http://security-tracker.debian.org/tracker/CVE-2012-0492 latter link with a list of "a different vulnerability than". I do NOT have any facts about these vulnerabilities. I hope Oracle coordinates issues like these with MITRE/US-CERT and adds more information to advisory and CVE after these are 100% public and distros are ready.

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.