Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Sep 2014 10:28:53 -0700
From: Ritwik Ghoshal <ritwik.ghoshal@...cle.com>
To: oss-security@...ts.openwall.com
CC: CVE Assignments MITRE <cve-assign@...re.org>
Subject: Re: CVE Request: MySQL: MyISAM temporary file issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please use CVE-2014-4274 for this issue.

Please send an email to secalert_us@...cle.com to contact Oracle for any
security vulnerability related issues. More information is available at -
http://www.oracle.com/us/support/assurance/vulnerability-remediation/reporting-security-vulnerabilities/index.html

Thanks,
- -Ritwik

On 9/10/2014 10:15 AM, Ritwik Ghoshal wrote:
> 
> I'll look into this and get back to you shortly.
> 
> Thanks,
> -Ritwik
> 
> 
> On 9/10/2014 9:29 AM, Kurt Seifried wrote:
>> Technically speaking Oracle is a CNA and should be handling this, I have
>> no idea how to contact them though, Mitre, can you guys reach out to
>> them? Also does this affect MariaDB?
> 
>> On 10/09/14 10:00 AM, Salvatore Bonaccorso wrote:
>>> Hi
>>>
>>> The changes for MySQL 5.5.39[1] and 5.6.20[2] contain a reference to
>>> the following issue, which could be exploited by a local user to run
>>> arbitrary code in context of the mysqld server.
>>>
>>> MyISAM temporary files could be used to mount a code-execution attack.
>>> (Bug #18045646).
>>>
>>> This is also tracked in[3] and [4] mentioning as relevant fix [5].
>>>
>>> Was a CVE already requested for this issue? If not, could one be
>>> assigned?
>>>
>>> Regards,
>>> Salvatore
>>>
>>>  [1] https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html
>>>  [2] https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-20.html
>>>  [3] https://bugzilla.redhat.com/show_bug.cgi?id=1126271
>>>  [4] https://bugs.gentoo.org/show_bug.cgi?id=518718
>>>  [5] https://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4638
>>>
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUEIpRAAoJEB1zxS9196oudt4IAKDHu+phcRPSlXzXgjRMm5Tp
Viv7ejTo2wANPK6hAD7/7aBjb2qAMvtY2HXUtm8spqA5199pV2mGSS7ItuQFBOCc
FE0AKnPg6CoDZKe1hVhjOHveZiBJkKpGYOs74bxwhu1acPlF/oq38CWAV7yb8pjo
74Nuc+JErZGCIEVNJXpgrQMfHJ1OS8VbWCEtOkgLpU8fNBlwR9jMQQtlOqAv+PEB
OA3nE5guX6CtHGCKa4YaMVmWh0au/q72R3fONP1WwAYrXjlBznovCdE9sZjzw1Np
01/51rso0ranMYN76h6DCztD6bQKVWJaDSOoGOJyD234EcF4DUb642ch9OAp+3A=
=Qule
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.