Bug#866818: libdbd-mysql-perl: CVE-2017-10788
Guido Günther
agx at sigxcpu.org
Mon Aug 28 12:56:36 UTC 2017
Hi,
On Sun, Jul 02, 2017 at 09:15:39AM +0200, Salvatore Bonaccorso wrote:
> Source: libdbd-mysql-perl
> Version: 4.028-2
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for libdbd-mysql-perl.
>
> CVE-2017-10788[0]:
> | The DBD::mysql module through 4.043 for Perl allows remote attackers to
> | cause a denial of service (use-after-free and application crash) or
> | possibly have unspecified other impact by triggering (1) certain error
> | responses from a MySQL server or (2) a loss of a network connection to
> | a MySQL server. The use-after-free defect was introduced by relying on
> | incorrect Oracle mysql_stmt_close documentation and code examples.
>
> Related discussions in [1] and [2]. [2] contains a proposed patch.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10788
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788
> [1] http://seclists.org/oss-sec/2017/q2/443
> [2] https://github.com/perl5-dbi/DBD-mysql/issues/120
>
> Please adjust the affected versions in the BTS as needed.
I've pinged upstream again why the patch is still pending:
https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-325342844
Cheers,
-- Guido
More information about the pkg-perl-maintainers
mailing list