A security issue fixed upstream in perl-DBD-mysql has been announced: http://www.openwall.com/lists/oss-security/2016/10/03/7 The commit to fix the issue is linked in the message above. Mageia 5 is probably also affected.
CC: (none) => guillomovitch, mageiaWhiteboard: (none) => MGA5TOOVersion: 5 => Cauldron
Debian has issued an advisory for this on October 3: https://www.debian.org/security/2016/dsa-3684
Assigning to maintainer
Assignee: bugsquad => jquelinCC: (none) => marja11
URL: (none) => http://lwn.net/Vulnerabilities/702551/
Freeze push requested for cauldron.
A security issue fixed upstream in perl-DBD-mysql has been announced: http://openwall.com/lists/oss-security/2016/11/16/1 The issue is fixed in 4.039 and the commit to fix it is linked in the message above. Mageia 5 is also affected.
Summary: perl-DBD-mysql new security issue CVE-2016-1246 => perl-DBD-mysql new security issue CVE-2016-1246 and CVE-2016-1249
perl-DBD-mysql-4.39.0-1.mga6 uploaded for Cauldron by Guillaume.
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
(In reply to David Walser from comment #4) > A security issue fixed upstream in perl-DBD-mysql has been announced: > http://openwall.com/lists/oss-security/2016/11/16/1 > > The issue is fixed in 4.039 and the commit to fix it is linked in the > message above. > > Mageia 5 is also affected. LWN reference: https://lwn.net/Vulnerabilities/707362/ Fedora has issued an advisory for this on November 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NY3AHSF4ZPQQ5OGYZYNQOD7TBL7CAG4F/
A security issue fixed upstream in perl-DBD-mysql has been announced: http://openwall.com/lists/oss-security/2016/11/28/2 The issue is fixed in 4.041 and the commit to fix it is linked in the message above. Mageia 5 is also affected.
Version: 5 => CauldronSummary: perl-DBD-mysql new security issue CVE-2016-1246 and CVE-2016-1249 => perl-DBD-mysql new security issue CVE-2016-1246, CVE-2016-1249, CVE-2016-1251Whiteboard: (none) => MGA5TOO
perl-DBD-mysql-4.41.0-1.mga6 uploaded for Cauldron by Guillaume. Thanks again!
LWN reference for CVE-2016-1251: https://lwn.net/Vulnerabilities/708876/ Fedora has issued an advisory for this on December 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7BLHU5FAHMKZBZ4LAHIASWUJVK4O6JS6/
CVE-2017-10788: http://openwall.com/lists/oss-security/2017/07/03/3 Looks like the fix for this is actually in code in documentation, not in the perl module itself.
It seems there is an actual problem in the Perl module (in C code), due to erroneous documentation on Oracle side... A patch is available here, but I'd rather wait for upstream review before shipping it: https://github.com/perl5-dbi/DBD-mysql/issues/120
Status: NEW => ASSIGNED
Thanks for the clarification on CVE-2017-10788 Guillaume. Now there's also CVE-2017-10789: http://openwall.com/lists/oss-security/2017/07/05/1 I don't believe there's a fix for that one yet. We'll need to split out a new bug for these two if we don't fix them all at the same time.
Fedora has issued an advisory for CVE-2017-10788 on July 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3CWISRFDOB7YRPBNDD3BNIQHSRYBDD6S/
can we update to version 4.043 in mageia 5 ? ( fixes CVE-2017-10788 )
CC: (none) => mageia
It's worth a shot.
Fedora has issued an advisory on December 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TAWTNCSYWNBJHJR4AYQAAW65JVWDWMEW/ It fixes CVE-2017-10789.
I tried building 4.043 from Cauldron in Mageia 6 and it doesn't build (I'm not sure if it built in Cauldron since Sophie is not on IRC): http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20171227030611.luigiwalser.duvel.37320/log/perl-DBD-mysql-4.43.0-1.mga6/build.0.20171227030708.log We would have to update Mageia 6 as well if we're going to update Mageia 5 to this version.
Cauldron still has 4.041, so it didn't build there either.
Advisory: ======================== Updated perl-DBD-mysql package fixes security vulnerabilities: Pali Rohar discovered that DBD::mysql constructed an error message in a fixed-length buffer, leading to a crash (_FORTIFY_SOURCE failure) and, potentially, to denial of service (CVE-2016-1246). A vulnerability was discovered in perl-DBD-MySQL that can lead to an out-of-bounds read when using server side prepared statements with an unaligned number of placeholders in WHERE condition and output fields in SELECT expression (CVE-2016-1249). There is a vulnerability of type use-after-free affecting DBD::mysql before 4.041 when used with mysql_server_prepare=1 (CVE-2016-1251). The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a loss of a network connection to a MySQL server. The use-after-free defect was introduced by relying on incorrect Oracle mysql_stmt_close documentation and code examples (CVE-2017-10788). The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack (CVE-2017-10789). Note that the CVE-2016-1246, CVE-2017-1249, and CVE-2016-1251 issues only affected Mageia 5. Also note that server-side prepared statements are disabled by default. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1246 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789 https://www.debian.org/security/2016/dsa-3684 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NY3AHSF4ZPQQ5OGYZYNQOD7TBL7CAG4F/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7BLHU5FAHMKZBZ4LAHIASWUJVK4O6JS6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3CWISRFDOB7YRPBNDD3BNIQHSRYBDD6S/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TAWTNCSYWNBJHJR4AYQAAW65JVWDWMEW/ ======================== Updated packages in core/updates_testing: ======================== perl-DBD-mysql-4.43.0-1.mga5 perl-DBD-mysql-4.43.0-1.mga6 from SRPMS: perl-DBD-mysql-4.43.0-1.mga5.src.rpm perl-DBD-mysql-4.43.0-1.mga6.src.rpm
Assignee: jquelin => qa-bugsVersion: 5 => 6Whiteboard: (none) => MGA5TOO
Warrants proper testing.
(In reply to Lewis Smith from comment #20) > Warrants proper testing. If it's any help I have a zoneminder server (which uses perl-DBD-mysql) running Mga5 which I can update with the new version and do tests if someone can explain how ;)
CC: (none) => zen25000
If zoneminder uses perl-DBD-mysql and still works with the update, then that's how. That's actually great, a real world test.
I fully updated the server, re-booted it and then installed the perl-DBD-mysql from updates_testing. I then re-started apache, mysql and zoneminder. All seems OK so far, but I will keep an eye on the logs.
CC: (none) => davidwhodginsKeywords: (none) => advisory
Nothing unusual in the logs and I also ran my zmsetup script which calls a perl script that accesses the mysql database and that ran without error so for me there are no regressions on Mga5 x86_64.
Same in Mga6 - here I removed the old db and allowed the upstream perl script to create a clean new zoneminder db. No problems or regressions, so Mga6 x86_64 is OK for me. [baz@leno ~]$ uname -r 4.9.56-desktop-1.mga6 [baz@leno ~]$ rpm -q perl-DBD-mysql perl-DBD-mysql-4.43.0-1.mga6 [baz@leno ~]$ sudo zmsetup *** Welcome to ZoneMinder Setup *** OK Please wait a moment... Please enter your mysql root password: You already have a ZoneMinder database installed Do you want to re-use it? [y/n] n Delete existing ZoneMinder database? OK? [y/n] y Installing a new ZoneMinder database ... Congratulations - ZoneMinder is now running. You should be able to access the ZM Console in your browser using :- http://leno/zm [baz@leno ~]$
Adding the oks and validating the update based on Barry's comments.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0031.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED