Bug#887751: [pkg-cli-libs-team] Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection

2018-01-22 Thread Mirco Bauer 
severity 887751 serious
thanks

Hello Guido,

ok, that does make sense, to have at least a RC severity to keep the
bad/affected version out of testing.
If your severity upgrading email would have contained this reasoning I
would wouldn't have downgraded it :)

"grave" is too high though as this security issue has a DoS impact and not
a access/privilege one.
For the RC part to work "serious" is adequate though.

Thanks for the clarification.

Best regards,

Mirco (meebey) Bauer

FOSS Hacker mee...@meebey.net  https://www.meebey.net/
Debian Developermee...@debian.org  http://www.debian.org/
GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/
CTO @ Gatecoin Ltd. mi...@gatecoin.com https://gatecoin.com/
.NET Foundation Advisory Council Memberhttp://www.dotnetfoundation.org/
PGP-Key ID  0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc

On Tue, Jan 23, 2018 at 2:37 PM, Guido Günther  wrote:

> Hi Mirco,
> On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote:
> >severity 887751 important
> >thanks
> >
> >Hello Guido,
> >
> >thank you for the report.
> >
> >CVE-2018-2585 has been rated by the Debian security as a minor issue
> [0].
> >You have bumped the severity from important to grave without an
> >explanation.
>
> It only went in as important because I messed up the original report,
> sorry about that.
>
> >Is there something you want to share?
>
> I marked it as no-dsa in the security tracker because I don't see a
> sensible way to fix this in stable / oldstable (given Oracle's update
> policy) and due to the affected reverse dependencies we currently have
> in these releases. But deem the issue it important enough to not let the
> package slip into a stable release again "accidentally". Does this make
> sense?
>
> Cheers,
>  -- Guido
>
> > [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585
> >Best regards,
> >
> >Mirco (meebey) Bauer
> >
> >FOSS Hacker [2]mee...@meebey.net  [3]htt
> ps://www.meebey.net/
> >Debian Developer[4]mee...@debian.org  [5]http
> ://www.debian.org/
> >GNOME Foundation Member [6]mmmba...@gnome.org [7]
> http://www.gnome.org/
> >CTO @ Gatecoin Ltd. [8]mi...@gatecoin.com [9]htt
> ps://gatecoin.com/
> >.NET Foundation Advisory Council Member
> > [10]http://www.dotnetfoundation.org/
> >PGP-Key ID  0x7127E5ABEEF946C8
> >[11]https://meebey.net/pubkey.asc
> >On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]a...@sigxcpu.org>
> >wrote:
> >
> >  Package: mysql-connector-net
> >  X-Debbugs-CC: [13]t...@security.debian.org
> >  [14]secure-testing-t...@lists.alioth.debian.org
> >  Severity: important
> >  Tags: grave
> >  Version: 6.4.3-2
> >
> >  Hi,
> >
> >  the following vulnerability was published for mysql-connector-net.
> >
> >  CVE-2018-2585[0]:
> >  | Vulnerability in the MySQL Connectors component of Oracle MySQL
> >  | (subcomponent: Connector/Net). Supported versions that are
> affected
> >  | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
> >  | vulnerability allows unauthenticated attacker with network access
> via
> >  | multiple protocols to compromise MySQL Connectors. Successful
> attacks
> >  | of this vulnerability can result in unauthorized ability to cause
> a
> >  | hang or frequently repeatable crash (complete DOS) of MySQL
> >  | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
> >  | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
> >
> >  If you fix the vulnerability please also make sure to include the
> >  CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> >  For further information see:
> >
> >  [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585
> >  [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-
> 2585
> >
> >  Please adjust the affected versions in the BTS as needed.
> >
> >  ___
> >  pkg-cli-libs-team mailing list
> >  [17]pkg-cli-libs-t...@lists.alioth.debian.org
> >  [18]http://lists.alioth.debian.org/cgi-bin/mailman/
> listinfo/pkg-cli-libs-team
> >
> > References
> >
> >Visible links
> >1. https://security-tracker.debian.org/tracker/CVE-2018-2585
> >2. mailto:mee...@meebey.net
> >3. https://www.meebey.net/
> >4. mailto:mee...@debian.org
> >5. http://www.debian.org/
> >6. mailto:mmmba...@gnome.org
> >7. http://www.gnome.org/
> >8. mailto:mi...@gatecoin.com
> >9. https://gatecoin.com/
> >   10. http://www.dotnetfoundation.org/
> >   11. https://meebey.net/pubkey.asc
> >   12. mailto:a...@sigxcpu.org
> >   13. mailto:t...@security.debian.org
> >   14. mailto:secure-testing-t...@lists.alioth.debian.org
> >   15. https://security-tracker.debian.org/tracker/CVE-2018-2585

Bug#887751: [pkg-cli-libs-team] Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection

2018-01-22 Thread Guido Günther 
Hi Mirco,
On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote:
>severity 887751 important
>thanks
> 
>Hello Guido,
> 
>thank you for the report.
> 
>CVE-2018-2585 has been rated by the Debian security as a minor issue [0].
>You have bumped the severity from important to grave without an
>explanation.

It only went in as important because I messed up the original report,
sorry about that.

>Is there something you want to share?

I marked it as no-dsa in the security tracker because I don't see a
sensible way to fix this in stable / oldstable (given Oracle's update
policy) and due to the affected reverse dependencies we currently have
in these releases. But deem the issue it important enough to not let the
package slip into a stable release again "accidentally". Does this make
sense?

Cheers,
 -- Guido

> [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585
>Best regards,
> 
>Mirco (meebey) Bauer
> 
>FOSS Hacker             [2]mee...@meebey.net  [3]https://www.meebey.net/
>Debian Developer        [4]mee...@debian.org  [5]http://www.debian.org/
>GNOME Foundation Member [6]mmmba...@gnome.org [7]http://www.gnome.org/
>CTO @ Gatecoin Ltd.     [8]mi...@gatecoin.com [9]https://gatecoin.com/
>.NET Foundation Advisory Council Member  
> [10]http://www.dotnetfoundation.org/
>PGP-Key ID              0x7127E5ABEEF946C8
>[11]https://meebey.net/pubkey.asc
>On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]a...@sigxcpu.org>
>wrote:
> 
>  Package: mysql-connector-net
>  X-Debbugs-CC: [13]t...@security.debian.org
>  [14]secure-testing-t...@lists.alioth.debian.org
>  Severity: important
>  Tags: grave
>  Version: 6.4.3-2
> 
>  Hi,
> 
>  the following vulnerability was published for mysql-connector-net.
> 
>  CVE-2018-2585[0]:
>  | Vulnerability in the MySQL Connectors component of Oracle MySQL
>  | (subcomponent: Connector/Net). Supported versions that are affected
>  | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
>  | vulnerability allows unauthenticated attacker with network access via
>  | multiple protocols to compromise MySQL Connectors. Successful attacks
>  | of this vulnerability can result in unauthorized ability to cause a
>  | hang or frequently repeatable crash (complete DOS) of MySQL
>  | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
>  | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
> 
>  If you fix the vulnerability please also make sure to include the
>  CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
>  For further information see:
> 
>  [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585
>      [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
> 
>  Please adjust the affected versions in the BTS as needed.
> 
>  ___
>  pkg-cli-libs-team mailing list
>  [17]pkg-cli-libs-t...@lists.alioth.debian.org
>  
> [18]http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team
> 
> References
> 
>Visible links
>1. https://security-tracker.debian.org/tracker/CVE-2018-2585
>2. mailto:mee...@meebey.net
>3. https://www.meebey.net/
>4. mailto:mee...@debian.org
>5. http://www.debian.org/
>6. mailto:mmmba...@gnome.org
>7. http://www.gnome.org/
>8. mailto:mi...@gatecoin.com
>9. https://gatecoin.com/
>   10. http://www.dotnetfoundation.org/
>   11. https://meebey.net/pubkey.asc
>   12. mailto:a...@sigxcpu.org
>   13. mailto:t...@security.debian.org
>   14. mailto:secure-testing-t...@lists.alioth.debian.org
>   15. https://security-tracker.debian.org/tracker/CVE-2018-2585
>   16. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
>   17. mailto:pkg-cli-libs-t...@lists.alioth.debian.org
>   18. 
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team

Bug#887751: [pkg-cli-libs-team] Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection

2018-01-22 Thread Mirco Bauer 
severity 887751 important
thanks

Hello Guido,

thank you for the report.

CVE-2018-2585 has been rated by the Debian security as a minor issue [0].
You have bumped the severity from important to grave without an explanation.
Is there something you want to share?

 [0]: https://security-tracker.debian.org/tracker/CVE-2018-2585

Best regards,

Mirco (meebey) Bauer

FOSS Hacker mee...@meebey.net  https://www.meebey.net/
Debian Developermee...@debian.org  http://www.debian.org/
GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/
CTO @ Gatecoin Ltd. mi...@gatecoin.com https://gatecoin.com/
.NET Foundation Advisory Council Memberhttp://www.dotnetfoundation.org/
PGP-Key ID  0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc

On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther  wrote:

> Package: mysql-connector-net
> X-Debbugs-CC: t...@security.debian.org secure-testing-team@lists.
> alioth.debian.org
> Severity: important
> Tags: grave
> Version: 6.4.3-2
>
> Hi,
>
> the following vulnerability was published for mysql-connector-net.
>
> CVE-2018-2585[0]:
> | Vulnerability in the MySQL Connectors component of Oracle MySQL
> | (subcomponent: Connector/Net). Supported versions that are affected
> | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
> | vulnerability allows unauthenticated attacker with network access via
> | multiple protocols to compromise MySQL Connectors. Successful attacks
> | of this vulnerability can result in unauthorized ability to cause a
> | hang or frequently repeatable crash (complete DOS) of MySQL
> | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
> | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-2585
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585
>
> Please adjust the affected versions in the BTS as needed.
>
> ___
> pkg-cli-libs-team mailing list
> pkg-cli-libs-t...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team
>

Bug#887751: mysql-connector-net: CVE-2018-2585 DoS via unauthenticated connection

2018-01-19 Thread Guido Günther 
Package: mysql-connector-net
X-Debbugs-CC: t...@security.debian.org 
secure-testing-t...@lists.alioth.debian.org
Severity: important
Tags: grave
Version: 6.4.3-2

Hi,

the following vulnerability was published for mysql-connector-net.

CVE-2018-2585[0]:
| Vulnerability in the MySQL Connectors component of Oracle MySQL
| (subcomponent: Connector/Net). Supported versions that are affected
| are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable
| vulnerability allows unauthenticated attacker with network access via
| multiple protocols to compromise MySQL Connectors. Successful attacks
| of this vulnerability can result in unauthorized ability to cause a
| hang or frequently repeatable crash (complete DOS) of MySQL
| Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS
| Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-2585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585

Please adjust the affected versions in the BTS as needed.