Bug 23154 - perl-DBD-mysql new security issues CVE-2017-10788 and CVE-2017-10789
Summary: perl-DBD-mysql new security issues CVE-2017-10788 and CVE-2017-10789
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-08 20:28 CEST by David Walser
Modified: 2018-06-14 20:16 CEST (History)
4 users (show)

See Also:
Source RPM: perl-DBD-mysql-4.43.0-1.mga6.src.rpm
CVE:
Status comment:


Attachments
test script perl-mysql (1.13 KB, application/x-perl)
2018-06-10 12:02 CEST, Herman Viaene
Details

Description David Walser 2018-06-08 20:28:25 CEST
openSUSE has issued an advisory on May 29:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00138.html
Comment 1 Marja Van Waes 2018-06-08 21:37:16 CEST
Assigning to the Perl stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => perl
CC: (none) => marja11, shlomif

Comment 2 David Walser 2018-06-09 17:02:32 CEST
Updated packages uploaded by Shlomi and myself.  Thanks Shlomi!

Advisory:
========================

Updated perl-DBD-mysql package fixes security vulnerabilities:

The DBD::mysql Perl module through 4.043 for Perl allows remote attackers to
cause a denial of service (use-after-free and application crash) or possibly
have unspecified other impact by triggering certain error responses from a
MySQL server or a loss of a network connection to a MySQL server. The
use-after-free defect was introduced by relying on incorrect Oracle
mysql_stmt_close documentation and code examples (CVE-2017-10788).

The DBD::mysql Perl module, when used with mysql_ssl=1 setting enabled, means
that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which could lead
man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack
(CVE-2017-10789).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789
https://lists.opensuse.org/opensuse-updates/2018-05/msg00138.html
========================

Updated packages in core/updates_testing:
========================
perl-DBD-mysql-4.46.0-1.mga5
perl-DBD-mysql-4.46.0-1.mga6

from SRPMS:
perl-DBD-mysql-4.46.0-1.mga5.src.rpm
perl-DBD-mysql-4.46.0-1.mga6.src.rpm

Whiteboard: (none) => MGA5TOO
Assignee: perl => qa-bugs

Comment 3 Herman Viaene 2018-06-10 12:01:05 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Googling fiddled a test script (see attachment)
$ perl perldbdtest.pl 
DBD::mysql::db do failed: Unknown table 'test10.0.35.foo' at perldbdtest.pl line 14.
Dropping foo failed: DBD::mysql::db do failed: Unknown table 'test10.0.35.foo' at perldbdtest.pl line 14.

Found a row: id = 1, name = Tim
Found a row: id = 2, name = Jochen
Looks OK to me.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 4 Herman Viaene 2018-06-10 12:02:11 CEST
Created attachment 10235 [details]
test script perl-mysql
Comment 5 Herman Viaene 2018-06-11 11:37:03 CEST
MGA6-32 on Thinkpad R50e MATE
No installation issues.
Used same testscript as above
$ perl perldbdtest.pl 
DBD::mysql::db do failed: Unknown table 'test.foo' at perldbdtest.pl line 14.
Dropping foo failed: DBD::mysql::db do failed: Unknown table 'test.foo' at perldbdtest.pl line 14.

Found a row: id = 1, name = Tim
Found a row: id = 2, name = Jochen
OK for me.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 6 claire robinson 2018-06-14 18:46:17 CEST
Nice test Herman. Validating.

Keywords: (none) => has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2018-06-14 18:58:47 CEST
Advisoried.

Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-06-14 20:16:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0283.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.