Your message dated Tue, 25 Jul 2023 13:31:29 +0000
with message-id <[email protected]>
and subject line Bug#1041819: fixed in mysql-8.0 8.0.34-1
has caused the Debian Bug report #1041819,
regarding mysql-8.0: CVE-2023-22058 CVE-2023-22057 CVE-2023-22056
CVE-2023-22054 CVE-2023-22053 CVE-2023-22048 CVE-2023-22046 CVE-2023-22038
CVE-2023-22033 CVE-2023-22008 CVE-2023-22007 CVE-2023-22005 CVE-2023-21950
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041819: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041819
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mysql-8.0
Version: 8.0.33-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2023-22058[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: DDL). Supported versions that are affected are
| 8.0.33 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability
| can result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22057[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Replication). Supported versions that are
| affected are 8.0.33 and prior. Easily exploitable vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22056[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.33 and prior. Easily exploitable vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22054[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.33 and prior. Easily exploitable vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22053[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Client programs). Supported versions that are affected
| are 5.7.42 and prior and 8.0.33 and prior. Difficult to exploit
| vulnerability allows low privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks
| of this vulnerability can result in unauthorized ability to cause a
| hang or frequently repeatable crash (complete DOS) of MySQL Server
| and unauthorized read access to a subset of MySQL Server accessible
| data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).
CVE-2023-22048[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Pluggable Auth). Supported versions that are
| affected are 8.0.33 and prior. Difficult to exploit vulnerability
| allows low privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized read access to a subset of
| MySQL Server accessible data. CVSS 3.1 Base Score 3.1
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22046[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.33 and prior. Easily exploitable vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22038[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.33 and prior. Easily exploitable vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized update, insert or delete
| access to some of MySQL Server accessible data. CVSS 3.1 Base Score
| 2.7 (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-22033[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.33 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability
| can result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22008[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.33 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability
| can result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22007[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Replication). Supported versions that are
| affected are 5.7.41 and prior and 8.0.32 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-22005[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Replication). Supported versions that are
| affected are 8.0.33 and prior. Difficult to exploit vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21950[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Replication). Supported versions that are
| affected are 8.0.27 and prior. Easily exploitable vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-22058
https://www.cve.org/CVERecord?id=CVE-2023-22058
[1] https://security-tracker.debian.org/tracker/CVE-2023-22057
https://www.cve.org/CVERecord?id=CVE-2023-22057
[2] https://security-tracker.debian.org/tracker/CVE-2023-22056
https://www.cve.org/CVERecord?id=CVE-2023-22056
[3] https://security-tracker.debian.org/tracker/CVE-2023-22054
https://www.cve.org/CVERecord?id=CVE-2023-22054
[4] https://security-tracker.debian.org/tracker/CVE-2023-22053
https://www.cve.org/CVERecord?id=CVE-2023-22053
[5] https://security-tracker.debian.org/tracker/CVE-2023-22048
https://www.cve.org/CVERecord?id=CVE-2023-22048
[6] https://security-tracker.debian.org/tracker/CVE-2023-22046
https://www.cve.org/CVERecord?id=CVE-2023-22046
[7] https://security-tracker.debian.org/tracker/CVE-2023-22038
https://www.cve.org/CVERecord?id=CVE-2023-22038
[8] https://security-tracker.debian.org/tracker/CVE-2023-22033
https://www.cve.org/CVERecord?id=CVE-2023-22033
[9] https://security-tracker.debian.org/tracker/CVE-2023-22008
https://www.cve.org/CVERecord?id=CVE-2023-22008
[10] https://security-tracker.debian.org/tracker/CVE-2023-22007
https://www.cve.org/CVERecord?id=CVE-2023-22007
[11] https://security-tracker.debian.org/tracker/CVE-2023-22005
https://www.cve.org/CVERecord?id=CVE-2023-22005
[12] https://security-tracker.debian.org/tracker/CVE-2023-21950
https://www.cve.org/CVERecord?id=CVE-2023-21950
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mysql-8.0
Source-Version: 8.0.34-1
Done: Lena Voytek <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mysql-8.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lena Voytek <[email protected]> (supplier of updated mysql-8.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 24 Jul 2023 13:27:11 -0700
Source: mysql-8.0
Binary: libmysqlclient21 libmysqlclient-dev mysql-client-core-8.0
mysql-client-8.0 mysql-server-core-8.0 mysql-server-8.0 mysql-server
mysql-client mysql-testsuite mysql-testsuite-8.0 mysql-source-8.0 mysql-router
Architecture: source
Version: 8.0.34-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <[email protected]>
Changed-By: Lena Voytek <[email protected]>
Description:
libmysqlclient-dev - MySQL database development files
libmysqlclient21 - MySQL database client library
mysql-client - MySQL database client (metapackage depending on the latest
versio
mysql-client-8.0 - MySQL database client binaries
mysql-client-core-8.0 - MySQL database core client binaries
mysql-router - route connections from MySQL clients to MySQL servers
mysql-server - MySQL database server (metapackage depending on the latest
versio
mysql-server-8.0 - MySQL database server binaries and system database setup
mysql-server-core-8.0 - MySQL database server binaries
mysql-source-8.0 - MySQL source
mysql-testsuite - MySQL regression tests
mysql-testsuite-8.0 - MySQL 8.0 testsuite
Closes: 1041819
Changes:
mysql-8.0 (8.0.34-1) unstable; urgency=medium
.
* Imported upstream version 8.0.34 to fix security issues
- https://www.oracle.com/security-alerts/cpujul2023.html#AppendixMSQL
- CVE-2023-22058 CVE-2023-22057 CVE-2023-22056 CVE-2023-22054
CVE-2023-22053 CVE-2023-22048 CVE-2023-22046 CVE-2023-22038
CVE-2023-22033 CVE-2023-22008 CVE-2023-22005
Upstream release notes:
- https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-34.html
(Closes: #1041819)
* d/p/fix_expired_date_in_test.patch: Remove - fixed upstream
Checksums-Sha1:
c003b019965097b25dd35eadb2871f58dd6f9a5c 3380 mysql-8.0_8.0.34-1.dsc
27b01863d7e9660ca9f333d7932283599cf08bb6 439550780 mysql-8.0_8.0.34.orig.tar.gz
64bf1799801c7316012f8385bd6abc5e4afa0edd 147364
mysql-8.0_8.0.34-1.debian.tar.xz
Checksums-Sha256:
1916167287998a10838387609e5cdbf3c69e8f2af905235b6f88de7f5c2ea030 3380
mysql-8.0_8.0.34-1.dsc
0b881a19bcef732cd4dbbfc8dfeb84eff61f5dfe0d9788d015d699733e0adf1f 439550780
mysql-8.0_8.0.34.orig.tar.gz
82697fcebda062932f93446ef541e7b011389520e7fabc48965c564c962da284 147364
mysql-8.0_8.0.34-1.debian.tar.xz
Files:
f934b9d99ad29809e209952e0ae9e932 3380 database optional mysql-8.0_8.0.34-1.dsc
c8cfab52fbde1cca55accb3113c235eb 439550780 database optional
mysql-8.0_8.0.34.orig.tar.gz
c86ad072ace8b95ed68d3b0d1478c7bc 147364 database optional
mysql-8.0_8.0.34-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJkv8VxAAoJEOVkucJ1vdUuEj0P/j3anFSY07iWlGLOhslNC0ul
QTROVLYzQwxuQnKDZ6zO8DKqHhbHh0Kvdr4eMUN66ymiJlvLYVY/fXlvDHfLi8mq
8ZHO8nk9VgIPZKnoP5Ek57Tt/EJ9PBUhFH1MA/iYHvg/QcGDFRR85vgIyBzgNe4a
Dvv3EfuAeF4DCsJ7wy6WojwAxHK11wnsybtFVVOcZW8Poa5Lxb3s9BwxjNBsz7nJ
MSyhlQAF85GixV34mvky0Idd+Fa0NB1345zPG0FRSXItK03sUf9rbTFdnlN3g1jf
+jyXsQIv3ay6e55Lp63hiFQ8u/ccjoijVealCY7t2MTKhB4eRUsKD5ecrbFEBghV
4ABAuSe2nf0SfSdx0a8TfRf4Ca1rfz+K2qx4EyTFYi1Lelc0D49bfChtdB5lNmgI
ga50829OD26T+9lHI3DaylXiI4FMVlG9E3ldeYVsoHJOt03ykcA4NunnhSs/mejL
TCEX0W+SOxiUHdv4OqloFu8jv4jII9KV5Og9pavZQjEHtuiuf2PY9j/BxAUnFiVG
qTfYbbmnwTSwkEIPaEwXm13rE1A0Ya403CUCL0BXB3pAUT94LYKDhLw+iJLW+qZ7
nBjcXYvMB/vBaqwiDR7ZyJSUDsU9nKt6P9Ax/xwaQln5yS50CcuhfUzmvaYgwGWQ
E7cCSiJOGRS+2SlRu0dB
=cVyY
-----END PGP SIGNATURE-----
--- End Message ---
