[debian-mysql] Bug#920933: mariadb-10.3: CVE-2019-2510 CVE-2019-2537

[Salvatore Bonaccorso]

Source: mariadb-10.3
Version: 1:10.3.12-2
Severity: grave
Tags: security upstream

Hi,

The following vulnerabilities were published for mariadb-10.3, they
are listed as to be fixed in 10.3.13[2].

CVE-2019-2510[0]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: InnoDB). Supported versions that are affected are
| 5.7.24 and prior and 8.0.13 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
| 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-2537[1]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: DDL). Supported versions that are affected are
| 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily
| exploitable vulnerability allows high privileged attacker with network
| access via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-2510
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2510
[1] https://security-tracker.debian.org/tracker/CVE-2019-2537
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2537
[2] https://mariadb.com/kb/en/library/mariadb-10313-release-notes/

Regards,
Salvatore