Your message dated Tue, 14 May 2024 12:42:18 +0000 with message-id <e1s6ru2-009ljx...@fasolo.debian.org> and subject line Bug#1069189: fixed in mysql-8.0 8.0.37-1 has caused the Debian Bug report #1069189, regarding mysql-8.0: CVE-2024-21102 CVE-2024-21096 CVE-2024-21087 CVE-2024-21069 CVE-2024-21062 CVE-2024-21060 CVE-2024-21054 CVE-2024-21047 CVE-2024-21013 CVE-2024-21009 CVE-2024-21008 CVE-2024-21000 CVE-2024-20998 CVE-2024-20994 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1069189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069189 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21102[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21096[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows unauthenticated attacker with logon to | the infrastructure where MySQL Server executes to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Server | accessible data as well as unauthorized read access to a subset of | MySQL Server accessible data and unauthorized ability to cause a | partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Confidentiality, Integrity and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2024-21087[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication Plugin). Supported versions | that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21069[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21062[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21060[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Data Dictionary). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21054[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21047[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21013[8]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows high privileged attacker with network | access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21009[9]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21008[10]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows high privileged attacker with network | access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21000[11]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Security: Privileges). Supported versions that | are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of MySQL Server accessible | data as well as unauthorized read access to a subset of MySQL | Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and | Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N). CVE-2024-20998[12]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-20994[13]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Information Schema). Supported versions that | are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows low privileged attacker with network | access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21102 https://www.cve.org/CVERecord?id=CVE-2024-21102 [1] https://security-tracker.debian.org/tracker/CVE-2024-21096 https://www.cve.org/CVERecord?id=CVE-2024-21096 [2] https://security-tracker.debian.org/tracker/CVE-2024-21087 https://www.cve.org/CVERecord?id=CVE-2024-21087 [3] https://security-tracker.debian.org/tracker/CVE-2024-21069 https://www.cve.org/CVERecord?id=CVE-2024-21069 [4] https://security-tracker.debian.org/tracker/CVE-2024-21062 https://www.cve.org/CVERecord?id=CVE-2024-21062 [5] https://security-tracker.debian.org/tracker/CVE-2024-21060 https://www.cve.org/CVERecord?id=CVE-2024-21060 [6] https://security-tracker.debian.org/tracker/CVE-2024-21054 https://www.cve.org/CVERecord?id=CVE-2024-21054 [7] https://security-tracker.debian.org/tracker/CVE-2024-21047 https://www.cve.org/CVERecord?id=CVE-2024-21047 [8] https://security-tracker.debian.org/tracker/CVE-2024-21013 https://www.cve.org/CVERecord?id=CVE-2024-21013 [9] https://security-tracker.debian.org/tracker/CVE-2024-21009 https://www.cve.org/CVERecord?id=CVE-2024-21009 [10] https://security-tracker.debian.org/tracker/CVE-2024-21008 https://www.cve.org/CVERecord?id=CVE-2024-21008 [11] https://security-tracker.debian.org/tracker/CVE-2024-21000 https://www.cve.org/CVERecord?id=CVE-2024-21000 [12] https://security-tracker.debian.org/tracker/CVE-2024-20998 https://www.cve.org/CVERecord?id=CVE-2024-20998 [13] https://security-tracker.debian.org/tracker/CVE-2024-20994 https://www.cve.org/CVERecord?id=CVE-2024-20994 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: mysql-8.0 Source-Version: 8.0.37-1 Done: Lena Voytek <lena.voy...@canonical.com> We believe that the bug you reported is fixed in the latest version of mysql-8.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1069...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Lena Voytek <lena.voy...@canonical.com> (supplier of updated mysql-8.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 14 May 2024 12:10:48 +0200 Source: mysql-8.0 Built-For-Profiles: noudeb Architecture: source Version: 8.0.37-1 Distribution: unstable Urgency: medium Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org> Changed-By: Lena Voytek <lena.voy...@canonical.com> Closes: 1069189 Changes: mysql-8.0 (8.0.37-1) unstable; urgency=medium . * Imported upstream version 8.0.37 to fix security issues - https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixMSQL - CVE-2023-6129 CVE-2024-20993 CVE-2024-20994 CVE-2024-20998 CVE-2024-21000 CVE-2024-21009 CVE-2024-21013 CVE-2024-21015 CVE-2024-21047 CVE-2024-21049 CVE-2024-21050 CVE-2024-21051 CVE-2024-21052 CVE-2024-21053 CVE-2024-21054 CVE-2024-21055 CVE-2024-21056 CVE-2024-21057 CVE-2024-21060 CVE-2024-21061 CVE-2024-21062 CVE-2024-21069 CVE-2024-21087 CVE-2024-21096 CVE-2024-21102 Upstream release notes: - https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-37.html (Closes: #1069189) * d/p/revert_faster_tls_model.patch: Refresh Checksums-Sha1: 63e43c4b1a03cb60ac6481d0f4ef0b233a7935a2 3764 mysql-8.0_8.0.37-1.dsc 8833609dfd564b518796852923c21aa05f95c9f0 445594692 mysql-8.0_8.0.37.orig.tar.gz feed7c51b2c0525a169ec328c1e19276b41dcfd3 833 mysql-8.0_8.0.37.orig.tar.gz.asc 7e194d603faa890f18f25d274a71f5584f91784d 145568 mysql-8.0_8.0.37-1.debian.tar.xz deffe792968a730674d26a29b3fe9644c593fe47 7118 mysql-8.0_8.0.37-1_source.buildinfo Checksums-Sha256: 60d9d0be5284e9e1a6cd1ec4f101c20b1bced7769fa6a30b5801ca312798ff49 3764 mysql-8.0_8.0.37-1.dsc fe0c7986f6a2d6a2ddf65e00aadb90fa6cb73da38c4172dc2b930dd1c2dc4af6 445594692 mysql-8.0_8.0.37.orig.tar.gz 89fa6c3675f01d23816583552d31a5388f4a862b48067f30664ec9dfcbb55ddd 833 mysql-8.0_8.0.37.orig.tar.gz.asc 45a3f5b733fba21afcadb9a3c2919e9ee0557b88a249a38c8d796dec8d86ae14 145568 mysql-8.0_8.0.37-1.debian.tar.xz 527f61ce776c3627c9676bbed9f15a2bc2c5ea00a8084af13f7091e114672620 7118 mysql-8.0_8.0.37-1_source.buildinfo Files: 1838fc3de702d258f3de472b12afee4e 3764 database optional mysql-8.0_8.0.37-1.dsc e0cb61cbf6e1144c452368c4535ae931 445594692 database optional mysql-8.0_8.0.37.orig.tar.gz 6512b70c4dedb8fcc5b704f5610fbbcb 833 database optional mysql-8.0_8.0.37.orig.tar.gz.asc 25dcf794c93ff1c7dad9090e6eaf6fe7 145568 database optional mysql-8.0_8.0.37-1.debian.tar.xz c36e22b5664e70b265aebf28cd92910d 7118 database optional mysql-8.0_8.0.37-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEEY+78PeFNUUbOfyS/NLitfZUp55MFAmZDTzwaHGxlbmEudm95 dGVrQGNhbm9uaWNhbC5jb20ACgkQNLitfZUp55NTchAAoIhc+WiUoaDLA86Vuv7n Oqvv3AF9z9GkWiBgu+ZgWDaNWfvs8jYJIXKwMaa28rt1qQYEqobQiT9V/w2RDnPX l2cu+yUHmwhDUWykGKCX3hDlOO/925uir+T1rAW6HTM/o43weg18djlUIfy6K0na +chaiv1cdjDeWCKIcEnLRxB/vnZnjssaotJMFcQEH/DFvNkyxEWRk/lM5nnXqARW ot+j6nGdWMFeE4NgFiHap2cIt20O+W+J0fEWNEdaftCYsbo4iT1oocQLigqWimQ2 DBqie81hKfbLnLnX6rwTtqmoPsk6/ajDhU4TdXZu7GRPsVlkl45holYd5Nf6IYus 32NLuCE7cewOaBSeknP+uZNos5cqn/tn/EPND1EGK4WpJr4fmDHPcOEu5VPzN0Wi ccLZPWQ2RPU7l5aRPjPEhreokRLtbaN8IOYuKQvoju/drVjxBYZc+i7Mndr1n8aq TJ7+qKErxYCC7GXnBYpu/xwIBXiQRwQsHkJDe8dFnKLRUqZyVVY2aSFX9glDvCmS x3qWbrEczH3egXrtBMtjpTo+y1u1wfNdwmfCw4JGebPrEFH+eq9h2jmaQcPdw3xO Qq5P2vsuZVyiRO7Sfu+gncHnrMPj4ses+FqC3bVtJIo2963/S2EamVphhrF2Fqaw cpA40RFZsMRF2sQb2tG1924= =I7pR -----END PGP SIGNATURE-----pgptGb4LlH5hp.pgp
Description: PGP signature
--- End Message ---