[debian-mysql] Bug#961849: mariadb-10.3: CVE-2020-2814 CVE-2020-2812 CVE-2020-2760 CVE-2020-2752
Salvatore Bonaccorso
carnil at debian.org
Sat May 30 13:29:44 BST 2020
Source: mariadb-10.3
Version: 1:10.3.22-1
Severity: grave
Tags: security upstream
Control: found -1 1:10.3.22-0+deb10u1
Hi,
The following vulnerabilities were published for mariadb-10.3,
orthogonal to the severity we might discuss if this warrants a DSA or
rather enough to be fixed via the next point release (gut feeling is
the later).
CVE-2020-2814[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 5.6.47 and prior,
| 5.7.28 and prior and 8.0.18 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
| 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-2812[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Stored Procedure). Supported versions that are affected are
| 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily
| exploitable vulnerability allows high privileged attacker with network
| access via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-2760[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 5.7.29 and prior and
| 8.0.19 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server as well as
| unauthorized update, insert or delete access to some of MySQL Server
| accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability
| impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2020-2752[3]:
| Vulnerability in the MySQL Client product of Oracle MySQL (component:
| C API). Supported versions that are affected are 5.6.47 and prior,
| 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit
| vulnerability allows low privileged attacker with network access via
| multiple protocols to compromise MySQL Client. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Client. CVSS
| 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-2814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2814
[1] https://security-tracker.debian.org/tracker/CVE-2020-2812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812
[2] https://security-tracker.debian.org/tracker/CVE-2020-2760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2760
[3] https://security-tracker.debian.org/tracker/CVE-2020-2752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2752
Regards,
Salvatore
More information about the pkg-mysql-maint
mailing list