[debian-mysql] Bug#928393: mariadb-10.3: CVE-2019-2614 CVE-2019-2627 CVE-2019-2628

Salvatore Bonaccorso carnil at debian.org
Fri May 3 16:09:03 BST 2019


Source: mariadb-10.3
Version: 1:10.3.14-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for mariadb-10.3.

CVE-2019-2614[0]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Replication). Supported versions that are
| affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior.
| Difficult to exploit vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS
| Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2019-2627[1]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Security: Privileges). Supported versions that
| are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2019-2628[2]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: InnoDB). Supported versions that are affected are
| 5.7.25 and prior and 8.0.15 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
| 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-2614
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2614
[1] https://security-tracker.debian.org/tracker/CVE-2019-2627
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2627
[2] https://security-tracker.debian.org/tracker/CVE-2019-2628
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2628
[3] https://mariadb.com/kb/en/library/mariadb-10315-release-notes/

Regards,
Salvatore



More information about the pkg-mysql-maint mailing list