Hi, On Sun, Jul 02, 2017 at 09:15:39AM +0200, Salvatore Bonaccorso wrote: > Source: libdbd-mysql-perl > Version: 4.028-2 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for libdbd-mysql-perl. > > CVE-2017-10788[0]: > | The DBD::mysql module through 4.043 for Perl allows remote attackers to > | cause a denial of service (use-after-free and application crash) or > | possibly have unspecified other impact by triggering (1) certain error > | responses from a MySQL server or (2) a loss of a network connection to > | a MySQL server. The use-after-free defect was introduced by relying on > | incorrect Oracle mysql_stmt_close documentation and code examples. > > Related discussions in [1] and [2]. [2] contains a proposed patch. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-10788 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788 > [1] http://seclists.org/oss-sec/2017/q2/443 > [2] https://github.com/perl5-dbi/DBD-mysql/issues/120 > > Please adjust the affected versions in the BTS as needed.
I've pinged upstream again why the patch is still pending: https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-325342844 Cheers, -- Guido