[debian-mysql] Bug#884065: mariadb-10.2: CVE-2017-10378 CVE-2017-10268 CVE-2017-15365

Salvatore Bonaccorso carnil at debian.org
Mon Dec 11 06:19:22 UTC 2017


Source: mariadb-10.2
Version: 10.2.7-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerabilities were published for mariadb-10.2, these
are fixed in 10.2.10.

CVE-2017-10378[0]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Optimizer). Supported versions that are
| affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and
| earlier. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10268[1]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Replication). Supported versions that are
| affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and
| earlier. Difficult to exploit vulnerability allows high privileged
| attacker with logon to the infrastructure where MySQL Server executes
| to compromise MySQL Server. Successful attacks of this vulnerability
| can result in unauthorized access to critical data or complete access
| to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVE-2017-15365[2]:
Replication in sql/event_data_objects.cc occurs before ACL checks

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10378
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378
[1] https://security-tracker.debian.org/tracker/CVE-2017-10268
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268
[2] https://security-tracker.debian.org/tracker/CVE-2017-15365
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365

Regards,
Salvatore



More information about the pkg-mysql-maint mailing list