VARIoT IoT vulnerabilities database

Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0564. This vulnerability CVE-2014-0564 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition. Security flaws exist in several Adobe products. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.418" References ========== [ 1 ] CVE-2014-0558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0558 [ 2 ] CVE-2014-0564 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0564 [ 3 ] CVE-2014-0569 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0569 [ 4 ] CVE-2014-0573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0573 [ 5 ] CVE-2014-0574 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0574 [ 6 ] CVE-2014-0576 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0576 [ 7 ] CVE-2014-0577 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0577 [ 8 ] CVE-2014-0581 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0581 [ 9 ] CVE-2014-0582 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0582 [ 10 ] CVE-2014-0583 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0583 [ 11 ] CVE-2014-0584 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0584 [ 12 ] CVE-2014-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0585 [ 13 ] CVE-2014-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0586 [ 14 ] CVE-2014-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0588 [ 15 ] CVE-2014-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0589 [ 16 ] CVE-2014-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0590 [ 17 ] CVE-2014-8437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8437 [ 18 ] CVE-2014-8438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8438 [ 19 ] CVE-2014-8440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8440 [ 20 ] CVE-2014-8441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8441 [ 21 ] CVE-2014-8442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8442 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:1648-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1648.html Issue date: 2014-10-15 CVE Names: CVE-2014-0558 CVE-2014-0564 CVE-2014-0569 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-22, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1152775 - CVE-2014-0564 CVE-2014-0558 CVE-2014-0569 flash-plugin: multiple code execution flaws (APSB14-22) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.411-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.411-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.411-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.411-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.411-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.411-1.el6.i686.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: flash-plugin-11.2.202.411-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.411-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.411-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.411-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.411-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0558.html https://www.redhat.com/security/data/cve/CVE-2014-0564.html https://www.redhat.com/security/data/cve/CVE-2014-0569.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-22.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPuDGXlSAg2UNWIIRAsobAJ9vnW0PysUhlqb4KDFHcw8Q7+rzqgCePtuZ Wum8dH3c44zrI0LJNv9/khY= =kNs5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect integrity via vectors related to SERVER:SSL:yaSSL. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'SERVER:SSL:yaSSL' sub component is affected. This vulnerability affects the following supported versions: 5.5.39 and earlier, 5.6.20 and earlier. The database system has the characteristics of high performance, low cost and good reliability. A remote attacker could exploit this vulnerability to update, insert, and delete data, affecting data integrity. ============================================================================ Ubuntu Security Notice USN-2384-1 October 15, 2014 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2384-1 CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3054-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 20, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mysql-5.5 CVE ID : CVE-2012-5615 CVE-2014-4274 CVE-2014-4287 CVE-2014-6463 CVE-2014-6464 CVE-2014-6469 CVE-2014-6478 CVE-2014-6484 CVE-2014-6491 CVE-2014-6494 CVE-2014-6495 CVE-2014-6496 CVE-2014-6500 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551 CVE-2014-6555 CVE-2014-6559 Debian Bug : 765663 Several issues have been discovered in the MySQL database server. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.40-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJURSC7AAoJEAVMuPMTQ89EasQP/RxXHja/33Mofs2nZY2T0c++ BblmAs1D8t1csPTPjPGC2UFrBNWvvKSintqHid1W34ulFQahR+Uw0t6vuNOKoVnh oBnayvOkAl2R6EcMS3DrdEPCgmj6NGC6QNG2Qt43a5tYdR3YCBTCMhPcHoIM6m3J eQH/3UetTKrxvqM0nXNjTcVppdHUzKP3b2W/DRP90X0qtD5DdkqEqh12rCZVBvnO b3AegaZ/PoEnmzqXkLIpRs2Dtx9P/dWeL9vCDZN0X6h+NSJzXYd0YfjfEIYldSXI vKHIXFyno69pelQ7YoUA/+XKyVbvZzPL1STgV9dJtHWUi4TMR9VgIFuJMVaBoNDR YTcfN61CfOkhUI45PhEp+mprlKVwwrLXrR/R5g4dHr28EmdQmvIJOOtxbUJAUd0m y7q5PUuXWuVC54Kjm51m249dNY8IMgBAiIdrvlQyQiOL28Wgc0z2+IWFZnSL8eSH 5l8jKi20x6BYNIKQHWBqt2s4yej39dNaiNnCGqnUUOCzrbpfY1xzP25GPtQo+jVc +1IygdKN8SG3S5FTQcHsND4C2cb3A9Tgf2gwffVrQq0TyQvXQbGjWN+xh4FAhU/D ysAYdd2zPQGd+9OAE/Ja1uMZ2NY/CTzn9y5Or6eTCLpDmNFN28MsvQ9SAkAWVKe8 SgOwAiXo3xRUsGy6UiHm =j4S6 -----END PGP SIGNATURE-----

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491. This vulnerability CVE-2014-6491 Is a different vulnerability.Information is obtained by a third party, information is altered, and service operation is interrupted. (DoS) An attack may be carried out. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'SERVER:SSL:yaSSL' sub component is affected. This vulnerability affects the following supported versions: 5.5.39 and earlier, 5.6.20 and earlier. The database system has the characteristics of high performance, low cost and good reliability. ============================================================================ Ubuntu Security Notice USN-2384-1 October 15, 2014 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2384-1 CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mariadb (SSA:2014-307-01) New mariadb packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.40-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-5.5.40-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-5.5.40-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.1 package: da0aff5bebbbdc0621359c0fea027ae6 mariadb-5.5.40-i486-1_slack14.1.txz Slackware x86_64 14.1 package: dbb7d695a22ae538b5ad9c024823b190 mariadb-5.5.40-x86_64-1_slack14.1.txz Slackware -current package: f9ca4cf6015ddbb73dfba16c535caffc ap/mariadb-5.5.40-i486-1.txz Slackware x86_64 -current package: 6924f64b6c147556a58a2c6f1929ab5e ap/mariadb-5.5.40-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg mariadb-5.5.40-i486-1_slack14.1.txz Then, restart the database server: # sh /etc/rc.d/rc.mysqld restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRYJz0ACgkQakRjwEAQIjPqygCeN1AAAJQbjyTDPKmJlNj5+1Qw 3IkAn3kpZO670aM3MoWqkCEfyHX4gXXu =11Km -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MySQL, MariaDB: Multiple vulnerabilities Date: November 05, 2014 Bugs: #525504 ID: 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in the MySQL and MariaDB, possibly allowing attackers to cause unspecified impact. Background ========== MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/mysql < 5.5.40 >= 5.5.40 2 dev-db/mariadb < 5.5.40-r1 >= 5.5.40-r1 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple unspecified vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code, Denial of Service, or disclosure of sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.40" All MariaDB users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-5.5.40-r1" References ========== [ 1 ] CVE-2014-6464 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6464 [ 2 ] CVE-2014-6469 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6469 [ 3 ] CVE-2014-6491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6491 [ 4 ] CVE-2014-6494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6494 [ 5 ] CVE-2014-6496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6496 [ 6 ] CVE-2014-6500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6500 [ 7 ] CVE-2014-6507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6507 [ 8 ] CVE-2014-6555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6555 [ 9 ] CVE-2014-6559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6559 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.40-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages

Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect availability via vectors related to SERVER:SSL:yaSSL. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'SERVER:SSL:yaSSL' sub component is affected. This vulnerability affects the following supported versions: 5.5.39 and earlier, 5.6.20 and earlier. The database system has the characteristics of high performance, low cost and good reliability. ============================================================================ Ubuntu Security Notice USN-2384-1 October 15, 2014 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2384-1 CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3054-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 20, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mysql-5.5 CVE ID : CVE-2012-5615 CVE-2014-4274 CVE-2014-4287 CVE-2014-6463 CVE-2014-6464 CVE-2014-6469 CVE-2014-6478 CVE-2014-6484 CVE-2014-6491 CVE-2014-6494 CVE-2014-6495 CVE-2014-6496 CVE-2014-6500 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551 CVE-2014-6555 CVE-2014-6559 Debian Bug : 765663 Several issues have been discovered in the MySQL database server. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.40-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJURSC7AAoJEAVMuPMTQ89EasQP/RxXHja/33Mofs2nZY2T0c++ BblmAs1D8t1csPTPjPGC2UFrBNWvvKSintqHid1W34ulFQahR+Uw0t6vuNOKoVnh oBnayvOkAl2R6EcMS3DrdEPCgmj6NGC6QNG2Qt43a5tYdR3YCBTCMhPcHoIM6m3J eQH/3UetTKrxvqM0nXNjTcVppdHUzKP3b2W/DRP90X0qtD5DdkqEqh12rCZVBvnO b3AegaZ/PoEnmzqXkLIpRs2Dtx9P/dWeL9vCDZN0X6h+NSJzXYd0YfjfEIYldSXI vKHIXFyno69pelQ7YoUA/+XKyVbvZzPL1STgV9dJtHWUi4TMR9VgIFuJMVaBoNDR YTcfN61CfOkhUI45PhEp+mprlKVwwrLXrR/R5g4dHr28EmdQmvIJOOtxbUJAUd0m y7q5PUuXWuVC54Kjm51m249dNY8IMgBAiIdrvlQyQiOL28Wgc0z2+IWFZnSL8eSH 5l8jKi20x6BYNIKQHWBqt2s4yej39dNaiNnCGqnUUOCzrbpfY1xzP25GPtQo+jVc +1IygdKN8SG3S5FTQcHsND4C2cb3A9Tgf2gwffVrQq0TyQvXQbGjWN+xh4FAhU/D ysAYdd2zPQGd+9OAE/Ja1uMZ2NY/CTzn9y5Or6eTCLpDmNFN28MsvQ9SAkAWVKe8 SgOwAiXo3xRUsGy6UiHm =j4S6 -----END PGP SIGNATURE-----

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6494. This vulnerability CVE-2014-6494 Is a different vulnerability.Service disruption by a third party (DoS) An attack may be carried out. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'CLIENT:SSL:yaSSL' sub component is affected. This vulnerability affects the following supported versions: 5.5.39 and earlier, 5.6.20 and earlier. The database system has the characteristics of high performance, low cost and good reliability. ============================================================================ Ubuntu Security Notice USN-2384-1 October 15, 2014 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2384-1 CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mariadb (SSA:2014-307-01) New mariadb packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.40-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-5.5.40-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-5.5.40-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.1 package: da0aff5bebbbdc0621359c0fea027ae6 mariadb-5.5.40-i486-1_slack14.1.txz Slackware x86_64 14.1 package: dbb7d695a22ae538b5ad9c024823b190 mariadb-5.5.40-x86_64-1_slack14.1.txz Slackware -current package: f9ca4cf6015ddbb73dfba16c535caffc ap/mariadb-5.5.40-i486-1.txz Slackware x86_64 -current package: 6924f64b6c147556a58a2c6f1929ab5e ap/mariadb-5.5.40-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg mariadb-5.5.40-i486-1_slack14.1.txz Then, restart the database server: # sh /etc/rc.d/rc.mysqld restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRYJz0ACgkQakRjwEAQIjPqygCeN1AAAJQbjyTDPKmJlNj5+1Qw 3IkAn3kpZO670aM3MoWqkCEfyHX4gXXu =11Km -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MySQL, MariaDB: Multiple vulnerabilities Date: November 05, 2014 Bugs: #525504 ID: 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in the MySQL and MariaDB, possibly allowing attackers to cause unspecified impact. Background ========== MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/mysql < 5.5.40 >= 5.5.40 2 dev-db/mariadb < 5.5.40-r1 >= 5.5.40-r1 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple unspecified vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code, Denial of Service, or disclosure of sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.40" All MariaDB users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-5.5.40-r1" References ========== [ 1 ] CVE-2014-6464 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6464 [ 2 ] CVE-2014-6469 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6469 [ 3 ] CVE-2014-6491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6491 [ 4 ] CVE-2014-6494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6494 [ 5 ] CVE-2014-6496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6496 [ 6 ] CVE-2014-6500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6500 [ 7 ] CVE-2014-6507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6507 [ 8 ] CVE-2014-6555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6555 [ 9 ] CVE-2014-6559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6559 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.40-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496. This vulnerability CVE-2014-6496 Is a different vulnerability.Service disruption by a third party (DoS) An attack may be carried out. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'CLIENT:SSL:yaSSL' sub component is affected. This vulnerability affects the following supported versions: 5.5.39 and earlier, 5.6.20 and earlier. The database system has the characteristics of high performance, low cost and good reliability. ============================================================================ Ubuntu Security Notice USN-2384-1 October 15, 2014 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2384-1 CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mariadb (SSA:2014-307-01) New mariadb packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.40-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-5.5.40-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-5.5.40-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.1 package: da0aff5bebbbdc0621359c0fea027ae6 mariadb-5.5.40-i486-1_slack14.1.txz Slackware x86_64 14.1 package: dbb7d695a22ae538b5ad9c024823b190 mariadb-5.5.40-x86_64-1_slack14.1.txz Slackware -current package: f9ca4cf6015ddbb73dfba16c535caffc ap/mariadb-5.5.40-i486-1.txz Slackware x86_64 -current package: 6924f64b6c147556a58a2c6f1929ab5e ap/mariadb-5.5.40-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg mariadb-5.5.40-i486-1_slack14.1.txz Then, restart the database server: # sh /etc/rc.d/rc.mysqld restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRYJz0ACgkQakRjwEAQIjPqygCeN1AAAJQbjyTDPKmJlNj5+1Qw 3IkAn3kpZO670aM3MoWqkCEfyHX4gXXu =11Km -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MySQL, MariaDB: Multiple vulnerabilities Date: November 05, 2014 Bugs: #525504 ID: 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in the MySQL and MariaDB, possibly allowing attackers to cause unspecified impact. Background ========== MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/mysql < 5.5.40 >= 5.5.40 2 dev-db/mariadb < 5.5.40-r1 >= 5.5.40-r1 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple unspecified vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code, Denial of Service, or disclosure of sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.40" All MariaDB users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-5.5.40-r1" References ========== [ 1 ] CVE-2014-6464 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6464 [ 2 ] CVE-2014-6469 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6469 [ 3 ] CVE-2014-6491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6491 [ 4 ] CVE-2014-6494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6494 [ 5 ] CVE-2014-6496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6496 [ 6 ] CVE-2014-6500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6500 [ 7 ] CVE-2014-6507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6507 [ 8 ] CVE-2014-6555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6555 [ 9 ] CVE-2014-6559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6559 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.40-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500. This vulnerability CVE-2014-6500 Is a different vulnerability.Information is obtained by a third party, information is altered, and service operation is interrupted. (DoS) An attack may be carried out. The vulnerability can be exploited over the 'MySQL Protocol' protocol. The 'SERVER:SSL:yaSSL' sub component is affected. This vulnerability affects the following supported versions: 5.5.39 and earlier, 5.6.20 and earlier. The database system has the characteristics of high performance, low cost and good reliability. ============================================================================ Ubuntu Security Notice USN-2384-1 October 15, 2014 mysql-5.5 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.5: MySQL database Details: Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. Please see the following for more information: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: mysql-server-5.5 5.5.40-0ubuntu0.12.04.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2384-1 CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 Package Information: https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.40-0ubuntu0.12.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mariadb (SSA:2014-307-01) New mariadb packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.40-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-5.5.40-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-5.5.40-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.1 package: da0aff5bebbbdc0621359c0fea027ae6 mariadb-5.5.40-i486-1_slack14.1.txz Slackware x86_64 14.1 package: dbb7d695a22ae538b5ad9c024823b190 mariadb-5.5.40-x86_64-1_slack14.1.txz Slackware -current package: f9ca4cf6015ddbb73dfba16c535caffc ap/mariadb-5.5.40-i486-1.txz Slackware x86_64 -current package: 6924f64b6c147556a58a2c6f1929ab5e ap/mariadb-5.5.40-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg mariadb-5.5.40-i486-1_slack14.1.txz Then, restart the database server: # sh /etc/rc.d/rc.mysqld restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRYJz0ACgkQakRjwEAQIjPqygCeN1AAAJQbjyTDPKmJlNj5+1Qw 3IkAn3kpZO670aM3MoWqkCEfyHX4gXXu =11Km -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MySQL, MariaDB: Multiple vulnerabilities Date: November 05, 2014 Bugs: #525504 ID: 201411-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in the MySQL and MariaDB, possibly allowing attackers to cause unspecified impact. Background ========== MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/mysql < 5.5.40 >= 5.5.40 2 dev-db/mariadb < 5.5.40-r1 >= 5.5.40-r1 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple unspecified vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code, Denial of Service, or disclosure of sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.40" All MariaDB users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-5.5.40-r1" References ========== [ 1 ] CVE-2014-6464 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6464 [ 2 ] CVE-2014-6469 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6469 [ 3 ] CVE-2014-6491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6491 [ 4 ] CVE-2014-6494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6494 [ 5 ] CVE-2014-6496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6496 [ 6 ] CVE-2014-6500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6500 [ 7 ] CVE-2014-6507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6507 [ 8 ] CVE-2014-6555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6555 [ 9 ] CVE-2014-6559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6559 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.40-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages

The ZIP inspection engine in Cisco AsyncOS 8.5 and earlier on the Cisco Email Security Appliance (ESA) does not properly analyze ZIP archives, which allows remote attackers to bypass malware filtering via a crafted archive, aka Bug ID CSCup07934. Vendors have confirmed this vulnerability Bug ID CSCup07934 It is released as.A third party may be able to bypass malware filtering through a crafted archive. Cisco AsyncOS is the operating system used by multiple Cisco products. A remote security bypass vulnerability exists in Cisco AsyncOS Software that allows an attacker to bypass certain security restrictions and perform unauthorized operations. Cisco AsyncOS Software is prone to a remote security-bypass vulnerability. This issue is being tracked by Cisco Bug ID CSCup07934. The vulnerability is caused by the program not correctly parsing ZIP compressed files

Multiple Huawei products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to restart the device, denying service to legitimate users.

The Autonomic Networking Infrastructure (ANI) component in Cisco IOS XE does not properly validate certificates, which allows remote attackers to trigger acceptance of an invalid message via crafted messages, aka Bug ID CSCuq22677. Vendors have confirmed this vulnerability Bug ID CSCuq22677 It is released as.A third party can trigger the receipt of invalid messages via crafted messages. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS XE has a security bypass vulnerability that allows an attacker to exploit a vulnerability to bypass certain security restrictions and perform unauthorized operations. Cisco IOS XE Software is prone to a security-bypass vulnerability. This issue is being tracked by Cisco Bug ID CSCuq22677. The vulnerability is caused by the program not validating certificates properly. A remote attacker could exploit this vulnerability to send a specially crafted message to the ANI device

polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter. Business Objects is the world's leading business intelligence (BI) software company. SAP BusinessObjects Explorer is a browser that it launched. An information disclosure vulnerability exists in SAP BusinessObjects Explorer. This vulnerability could be exploited by an attacker to obtain a group host and its open port information. BusinessObjects Explorer14.0.5 (build 882) is vulnerable;other versions may also be affected

Business Objects is the world's leading business intelligence (BI) software company. SAP BusinessObjects Explorer is a browser that it launched. A cross-site flash vulnerability exists in SAP BusinessObjects Explorer. An attacker could exploit this vulnerability to steal user's session information. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request. Supplementary information : CWE Vulnerability type by CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (XML Inappropriate restrictions on external entity references ) Has been identified. http://cwe.mitre.org/data/definitions/611.htmlBy a third party explorationSpaceUpdate Request xmlParameter An arbitrary file may be read through the parameter. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. BusinessObjects Explorer 14.0.5 (build 882) is vulnerable; other versions may also be affected

Unspecified vulnerability in HP Network Automation 9.10 and 9.20 allows local users to bypass intended access restrictions via unknown vectors. HP Network Automation is an automated network configuration management tool. HP Network Automati has a security bypass vulnerability. An attacker could exploit this vulnerability to bypass certain security restrictions

Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long URI. Huawei E5332 contains a denial-of-service (DoS) vulnerability. Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contain an issue when processing a URL that is extremely long, which may lead to the device to terminate abnormally. Shuto Imai of Chukyo Univ. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker that can send requests to the device may cause the device to become unresponsive. Huawei E5332 Webserver is a wireless router product. Huawei E5332 Webserver has a denial of service vulnerability. An attacker can exploit a vulnerability to build a long URI for a denial of service attack. Attackers may exploit this issue to cause denial-of-service conditions

Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long parameter in an API service request message. Huawei E5332 contains a denial-of-service (DoS) vulnerability. Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contains an issue when processing a GET request that contains an extremely long parameter, which lead to the device rebooting. Shuto Imai of Chukyo Univ. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker that can send requests to the device may cause the device to become unresponsive. Huawei E5332 Router is a China Unicom 3G wireless router product from Huawei. Attackers may exploit this issue to cause denial-of-service conditions. A buffer overflow vulnerability exists in the Webserver component of Huawei E5332 Router versions earlier than 21.344.27.00.1080

The Autonomic Networking Infrastructure (ANI) component in Cisco IOS XE does not properly validate certificates, which allows remote attackers to spoof devices via crafted messages, aka Bug ID CSCuq22647. Vendors have confirmed this vulnerability Bug ID CSCuq22647 It is released as.A third party can impersonate the device through a crafted message. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS XE has a security bypass vulnerability that allows an attacker to bypass certain security restrictions and perform unauthorized operations. Cisco IOS XE Software is prone to a security-bypass vulnerability. This issue is being tracked by Cisco Bug ID CSCuq22647. The vulnerability is caused by the program not validating certificates properly

Cisco IOS XE enables the IPv6 Routing Protocol for Low-Power and Lossy Networks (aka RPL) on both the Autonomic Control Plane (ACP) and external Autonomic Networking Infrastructure (ANI) interfaces, which allows remote attackers to conduct route-injection attacks via crafted RPL advertisements on an ANI interface, aka Bug ID CSCuq22673. Vendors have confirmed this vulnerability Bug ID CSCuq22673 It is released as.By a third party ANI Cleverly crafted on the interface RPL A route injection attack may be performed through advertisement. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This may aid in other attacks. This issue is being tracked by Cisco Bug ID CSCuq22673. Remote attackers can use this vulnerability to implement route-injection attacks

Juniper Junos OS 9.1 through 11.4 before 11.4R11, 12.1 before R10, 12.1X44 before D40, 12.1X46 before D30, 12.1X47 before D11 and 12.147-D15, 12.1X48 before D41 and D62, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S2, 13.1X49 before D49, 13.1X50 before 30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D25, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when supporting 4-byte AS numbers and a BGP peer does not, allows remote attackers to cause a denial of service (memory corruption and RDP routing process crash and restart) via crafted transitive attributes in a BGP UPDATE. Juniper Junos is prone to a remote denial-of-service vulnerability. Exploiting this issue may allow remote attackers to crash and restart the RPD (Routing Protocol Daemon), causing denial-of-service conditions. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Junos OS 9.1 to 11.4 before 11.4R11, 12.1 before R10, 12.1X44 before D40, 12.1X46 before D30, 12.1X47 before D11, 12.147-D15, 12.1 before D41 and D62 Version X48, version 12.2 before R8, version 12.2X50 before D70, version 12.3 before R6, version 13.1 before R4-S2, version 13.1X49 before D49, version 13.1X50 before 30, version 13.2 before R4, version 13.2X50 before D20, D25 Version 13.2X51 before D15, version 13.2X52 before D15, version 13.3 before R2, and version 14.1 before R1

Juniper Junos 11.4 before R12-S4, 12.1X44 before D35, 12.1X45 before D30, 12.1X46 before D25, 12.1X47 before D10, 12.2 before R9, 12.2X50 before D70, 12.3 before R7, 13.1 before R4 before S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R5, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R3, and 14.1 before R1 allows remote attackers to cause a denial of service (router protocol daemon crash) via a crafted RSVP PATH message. Juniper Junos is prone to a remote denial-of-service vulnerability. Exploiting this issue may allow remote attackers to hang or crash the RPD (Routing Protocol Daemon), causing denial-of-service conditions. Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: 11.4 before Juniper Junos R12-S4, 12.1X44 before D35, 12.1X45 before D30, 12.1X46 before D25, 12.1X47 before D10, 12.2 before R9, 12.2X50 before D70, R7 Version 12.3 before, Version 13.1 before R4-S3, Version 13.1X49 before D55, Version 13.1X50 before D30, Version 13.2 before R5, Version 13.2X50 before D20, Version 13.2X51 before D26, Version D30, Version 13.2X52 before D15, R3 Version 13.3 before R1, version 14.1 before R1