Bug#887751: [pkg-cli-libs-team] Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection
severity 887751 serious thanks Hello Guido, ok, that does make sense, to have at least a RC severity to keep the bad/affected version out of testing. If your severity upgrading email would have contained this reasoning I would wouldn't have downgraded it :) "grave" is too high though as this security issue has a DoS impact and not a access/privilege one. For the RC part to work "serious" is adequate though. Thanks for the clarification. Best regards, Mirco (meebey) Bauer FOSS Hacker mee...@meebey.net https://www.meebey.net/ Debian Developermee...@debian.org http://www.debian.org/ GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/ CTO @ Gatecoin Ltd. mi...@gatecoin.com https://gatecoin.com/ .NET Foundation Advisory Council Memberhttp://www.dotnetfoundation.org/ PGP-Key ID 0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc On Tue, Jan 23, 2018 at 2:37 PM, Guido Güntherwrote: > Hi Mirco, > On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote: > >severity 887751 important > >thanks > > > >Hello Guido, > > > >thank you for the report. > > > >CVE-2018-2585 has been rated by the Debian security as a minor issue > [0]. > >You have bumped the severity from important to grave without an > >explanation. > > It only went in as important because I messed up the original report, > sorry about that. > > >Is there something you want to share? > > I marked it as no-dsa in the security tracker because I don't see a > sensible way to fix this in stable / oldstable (given Oracle's update > policy) and due to the affected reverse dependencies we currently have > in these releases. But deem the issue it important enough to not let the > package slip into a stable release again "accidentally". Does this make > sense? > > Cheers, > -- Guido > > > [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585 > >Best regards, > > > >Mirco (meebey) Bauer > > > >FOSS Hacker [2]mee...@meebey.net [3]htt > ps://www.meebey.net/ > >Debian Developer[4]mee...@debian.org [5]http > ://www.debian.org/ > >GNOME Foundation Member [6]mmmba...@gnome.org [7] > http://www.gnome.org/ > >CTO @ Gatecoin Ltd. [8]mi...@gatecoin.com [9]htt > ps://gatecoin.com/ > >.NET Foundation Advisory Council Member > > [10]http://www.dotnetfoundation.org/ > >PGP-Key ID 0x7127E5ABEEF946C8 > >[11]https://meebey.net/pubkey.asc > >On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]a...@sigxcpu.org> > >wrote: > > > > Package: mysql-connector-net > > X-Debbugs-CC: [13]t...@security.debian.org > > [14]secure-testing-t...@lists.alioth.debian.org > > Severity: important > > Tags: grave > > Version: 6.4.3-2 > > > > Hi, > > > > the following vulnerability was published for mysql-connector-net. > > > > CVE-2018-2585[0]: > > | Vulnerability in the MySQL Connectors component of Oracle MySQL > > | (subcomponent: Connector/Net). Supported versions that are > affected > > | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable > > | vulnerability allows unauthenticated attacker with network access > via > > | multiple protocols to compromise MySQL Connectors. Successful > attacks > > | of this vulnerability can result in unauthorized ability to cause > a > > | hang or frequently repeatable crash (complete DOS) of MySQL > > | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS > > | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585 > > [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018- > 2585 > > > > Please adjust the affected versions in the BTS as needed. > > > > ___ > > pkg-cli-libs-team mailing list > > [17]pkg-cli-libs-t...@lists.alioth.debian.org > > [18]http://lists.alioth.debian.org/cgi-bin/mailman/ > listinfo/pkg-cli-libs-team > > > > References > > > >Visible links > >1. https://security-tracker.debian.org/tracker/CVE-2018-2585 > >2. mailto:mee...@meebey.net > >3. https://www.meebey.net/ > >4. mailto:mee...@debian.org > >5. http://www.debian.org/ > >6. mailto:mmmba...@gnome.org > >7. http://www.gnome.org/ > >8. mailto:mi...@gatecoin.com > >9. https://gatecoin.com/ > > 10. http://www.dotnetfoundation.org/ > > 11. https://meebey.net/pubkey.asc > > 12. mailto:a...@sigxcpu.org > > 13. mailto:t...@security.debian.org > > 14. mailto:secure-testing-t...@lists.alioth.debian.org > > 15. https://security-tracker.debian.org/tracker/CVE-2018-2585
Bug#887751: [pkg-cli-libs-team] Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection
Hi Mirco, On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote: >severity 887751 important >thanks > >Hello Guido, > >thank you for the report. > >CVE-2018-2585 has been rated by the Debian security as a minor issue [0]. >You have bumped the severity from important to grave without an >explanation. It only went in as important because I messed up the original report, sorry about that. >Is there something you want to share? I marked it as no-dsa in the security tracker because I don't see a sensible way to fix this in stable / oldstable (given Oracle's update policy) and due to the affected reverse dependencies we currently have in these releases. But deem the issue it important enough to not let the package slip into a stable release again "accidentally". Does this make sense? Cheers, -- Guido > [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585 >Best regards, > >Mirco (meebey) Bauer > >FOSS Hacker [2]mee...@meebey.net [3]https://www.meebey.net/ >Debian Developer [4]mee...@debian.org [5]http://www.debian.org/ >GNOME Foundation Member [6]mmmba...@gnome.org [7]http://www.gnome.org/ >CTO @ Gatecoin Ltd. [8]mi...@gatecoin.com [9]https://gatecoin.com/ >.NET Foundation Advisory Council Member > [10]http://www.dotnetfoundation.org/ >PGP-Key ID 0x7127E5ABEEF946C8 >[11]https://meebey.net/pubkey.asc >On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]a...@sigxcpu.org> >wrote: > > Package: mysql-connector-net > X-Debbugs-CC: [13]t...@security.debian.org > [14]secure-testing-t...@lists.alioth.debian.org > Severity: important > Tags: grave > Version: 6.4.3-2 > > Hi, > > the following vulnerability was published for mysql-connector-net. > > CVE-2018-2585[0]: > | Vulnerability in the MySQL Connectors component of Oracle MySQL > | (subcomponent: Connector/Net). Supported versions that are affected > | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable > | vulnerability allows unauthenticated attacker with network access via > | multiple protocols to compromise MySQL Connectors. Successful attacks > | of this vulnerability can result in unauthorized ability to cause a > | hang or frequently repeatable crash (complete DOS) of MySQL > | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS > | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585 > [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585 > > Please adjust the affected versions in the BTS as needed. > > ___ > pkg-cli-libs-team mailing list > [17]pkg-cli-libs-t...@lists.alioth.debian.org > > [18]http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team > > References > >Visible links >1. https://security-tracker.debian.org/tracker/CVE-2018-2585 >2. mailto:mee...@meebey.net >3. https://www.meebey.net/ >4. mailto:mee...@debian.org >5. http://www.debian.org/ >6. mailto:mmmba...@gnome.org >7. http://www.gnome.org/ >8. mailto:mi...@gatecoin.com >9. https://gatecoin.com/ > 10. http://www.dotnetfoundation.org/ > 11. https://meebey.net/pubkey.asc > 12. mailto:a...@sigxcpu.org > 13. mailto:t...@security.debian.org > 14. mailto:secure-testing-t...@lists.alioth.debian.org > 15. https://security-tracker.debian.org/tracker/CVE-2018-2585 > 16. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585 > 17. mailto:pkg-cli-libs-t...@lists.alioth.debian.org > 18. > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team
Bug#887751: [pkg-cli-libs-team] Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection
severity 887751 important thanks Hello Guido, thank you for the report. CVE-2018-2585 has been rated by the Debian security as a minor issue [0]. You have bumped the severity from important to grave without an explanation. Is there something you want to share? [0]: https://security-tracker.debian.org/tracker/CVE-2018-2585 Best regards, Mirco (meebey) Bauer FOSS Hacker mee...@meebey.net https://www.meebey.net/ Debian Developermee...@debian.org http://www.debian.org/ GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/ CTO @ Gatecoin Ltd. mi...@gatecoin.com https://gatecoin.com/ .NET Foundation Advisory Council Memberhttp://www.dotnetfoundation.org/ PGP-Key ID 0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc On Sat, Jan 20, 2018 at 12:38 AM, Guido Güntherwrote: > Package: mysql-connector-net > X-Debbugs-CC: t...@security.debian.org secure-testing-team@lists. > alioth.debian.org > Severity: important > Tags: grave > Version: 6.4.3-2 > > Hi, > > the following vulnerability was published for mysql-connector-net. > > CVE-2018-2585[0]: > | Vulnerability in the MySQL Connectors component of Oracle MySQL > | (subcomponent: Connector/Net). Supported versions that are affected > | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable > | vulnerability allows unauthenticated attacker with network access via > | multiple protocols to compromise MySQL Connectors. Successful attacks > | of this vulnerability can result in unauthorized ability to cause a > | hang or frequently repeatable crash (complete DOS) of MySQL > | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS > | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-2585 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585 > > Please adjust the affected versions in the BTS as needed. > > ___ > pkg-cli-libs-team mailing list > pkg-cli-libs-t...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team >
Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection
Package: mysql-connector-net X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: important Tags: grave Version: 6.4.3-2 Hi, the following vulnerability was published for mysql-connector-net. CVE-2018-2585[0]: | Vulnerability in the MySQL Connectors component of Oracle MySQL | (subcomponent: Connector/Net). Supported versions that are affected | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable | vulnerability allows unauthenticated attacker with network access via | multiple protocols to compromise MySQL Connectors. Successful attacks | of this vulnerability can result in unauthorized ability to cause a | hang or frequently repeatable crash (complete DOS) of MySQL | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-2585 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585 Please adjust the affected versions in the BTS as needed.