Bug 10820

Summary: Multiple vulnerabilities in mariadb/mysql (CVE-2013-3783, 3793, 3794, 3795, 3796, 3798, 3801, 3802, 3804, 3805, 3806, 3807, 3808, 3809, 3810, 3811, 3812)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: AL13N <alien>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: alien, luigiwalser, tmb
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: mariadb CVE:
Status comment:

Description Oden Eriksson 2013-07-23 07:44:40 CEST 
======================================================
Name: CVE-2013-3783
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3783
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.31 and earlier allows remote authenticated users to affect
availability via unknown vectors related to Server Parser.


======================================================
Name: CVE-2013-3793
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3793
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote
authenticated users to affect availability via unknown vectors related
to Data Manipulation Language.


======================================================
Name: CVE-2013-3794
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3794
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users
to affect availability via unknown vectors related to Server
Partition.


======================================================
Name: CVE-2013-3795
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3795
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.11 and earlier allows remote authenticated users to affect
availability via unknown vectors related to Data Manipulation
Language.


======================================================
Name: CVE-2013-3796
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3796
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.11 and earlier allows remote authenticated users to affect
availability via unknown vectors related to Server Optimizer.


======================================================
Name: CVE-2013-3798
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3798
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.11 and earlier allows remote attackers to affect integrity
and availability via unknown vectors related to MemCached.


======================================================
Name: CVE-2013-3801
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3801
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users
to affect availability via unknown vectors related to Server Options.


======================================================
Name: CVE-2013-3802
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3802
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier
allows remote authenticated users to affect availability via unknown
vectors related to Full Text Search.


======================================================
Name: CVE-2013-3804
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3804
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier
allows remote authenticated users to affect availability via unknown
vectors related to Server Optimizer.


======================================================
Name: CVE-2013-3805
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3805
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users
to affect availability via unknown vectors related to Prepared
Statements.


======================================================
Name: CVE-2013-3806
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3806
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.11 and earlier allows remote authenticated users to affect
availability via unknown vectors related to InnoDB, a different
vulnerability than CVE-2013-3811.


======================================================
Name: CVE-2013-3807
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3807
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.11 and earlier allows remote attackers to affect
confidentiality and integrity via unknown vectors related to Server
Privileges.


======================================================
Name: CVE-2013-3808
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3808
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 allows remote
authenticated users to affect availability via unknown vectors related
to Server Options.


======================================================
Name: CVE-2013-3809
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3809
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote
authenticated users to affect integrity via unknown vectors related to
Audit Log.


======================================================
Name: CVE-2013-3810
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3810
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.11 and earlier allows remote authenticated users to affect
availability via unknown vectors related to XA Transactions.


======================================================
Name: CVE-2013-3811
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3811
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.11 and earlier allows remote authenticated users to affect
availability via unknown vectors related to InnoDB, a different
vulnerability than CVE-2013-3806.


======================================================
Name: CVE-2013-3812
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3812
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote
authenticated users to affect availability via unknown vectors related
to Server Replication.


Reproducible: 

Steps to Reproduce:
Comment 1 Manuel Hiebel 2013-07-23 08:08:17 CEST 
btw we have mariadb

CC: (none) => alien

Oden Eriksson 2013-07-23 08:16:56 CEST

Source RPM: mysql => mariadb

Oden Eriksson 2013-07-23 08:17:19 CEST

Summary: Multiple vulnerabilities in mysql (CVE-2013-3783, 3793, 3794, 3795, 3796, 3798, 3801, 3802, 3804, 3805, 3806, 3807, 3808, 3809, 3810, 3811, 3812) => Multiple vulnerabilities in mariadb/mysql (CVE-2013-3783, 3793, 3794, 3795, 3796, 3798, 3801, 3802, 3804, 3805, 3806, 3807, 3808, 3809, 3810, 3811, 3812)

Comment 2 Oden Eriksson 2013-07-23 09:03:41 CEST 
and mariadb piggy-backs on mysql, no?
Comment 3 Thomas Backlund 2013-07-23 12:48:32 CEST 
Yep...

CC: (none) => tmb
Assignee: bugsquad => alien

Comment 4 David Walser 2013-07-23 15:06:02 CEST 
Duplicate.

*** This bug has been marked as a duplicate of bug 9878 ***

Status: NEW => RESOLVED
CC: (none) => luigiwalser
Resolution: (none) => DUPLICATE

Comment 5 Oden Eriksson 2013-07-24 08:18:12 CEST 
I think you're mistaking closing this bug as it affects mga2 and mga3 as far as I can tell.

mariadb-5.5.32-1.mga3 was submitted to core/updates_testing yesterday, but I'm awating information how these CVE's affects mariadb.

Status: RESOLVED => REOPENED
Resolution: DUPLICATE => (none)

Comment 6 David Walser 2013-07-24 11:58:21 CEST 
The other bug is for Mageia 2 and 3.

*** This bug has been marked as a duplicate of bug 9878 ***

Status: REOPENED => RESOLVED
Resolution: (none) => DUPLICATE

Comment 7 David Walser 2013-07-24 12:00:14 CEST 
Please note the way we handle a bug for multiple versions using the whiteboard.

We always set the version to the *highest* version affected, and then add tags in the whiteboard for other versions affected.

So, for a bug affecting Cauldron, Mageia 3, and Mageia 2, the whiteboard has:
MGA3TOO, MGA2TOO

For a bug just affecting Mageia 2 and Mageia 3, version is 3, whiteboard has:
MGA2TOO
Comment 8 AL13N 2013-07-24 17:13:07 CEST 
well, that was just it... this isn't resolved in cauldron and for cauldron it could take a while...
Comment 9 AL13N 2013-07-24 17:13:52 CEST 
even mga3 isn't fixed imho, not even if it would be validated... it needs more checking and some CVE explanations to be sure
Comment 10 David Walser 2013-07-24 17:31:51 CEST 
Indeed.  We normally try to have things fixed in Cauldron before shipping updates for stable.  If we can't do that this time, we will need a new bug for QA, so I suppose we could use this one for that.  Let's wait to reopen it until there are update candidates ready :o)
Comment 11 AL13N 2013-07-24 17:58:27 CEST 
cauldron can't be fixed for now (could take a while)

the one in mga3 was submitted, even though it needs some checking