Your message dated Mon, 14 Nov 2022 20:56:06 +0000
with message-id <20221114205606.gk28...@mal.justgohome.co.uk>
and subject line Re: [debian-mysql] Bug#1024016: mysql-8.0: CVE-2022-39400
CVE-2022-39402 CVE-2022-39403 CVE-2022-39408 CVE-2022-39410 CVE-2022-21594
CVE-2022-21599 CVE-2022-21604 CVE-2022-21608 CVE-2022-21611 CVE-2022-21617
CVE-2022-21625 CVE-2022-21632 CVE-2022-21633 CVE-2022-21637 CVE-2022-21640
has caused the Debian Bug report #1024016,
regarding mysql-8.0: CVE-2022-39400 CVE-2022-39402 CVE-2022-39403
CVE-2022-39408 CVE-2022-39410 CVE-2022-21594 CVE-2022-21599 CVE-2022-21604
CVE-2022-21608 CVE-2022-21611 CVE-2022-21617 CVE-2022-21625 CVE-2022-21632
CVE-2022-21633 CVE-2022-21637 CVE-2022-21640
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1024016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024016
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mysql-8.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2022-39400[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-39402[1]:
| Vulnerability in the MySQL Shell product of Oracle MySQL (component:
| Shell: Core Client). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows unauthenticated
| attacker with logon to the infrastructure where MySQL Shell executes
| to compromise MySQL Shell. While the vulnerability is in MySQL Shell,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| read access to a subset of MySQL Shell accessible data. CVSS 3.1 Base
| Score 4.3 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
CVE-2022-39403[2]:
| Vulnerability in the MySQL Shell product of Oracle MySQL (component:
| Shell: Core Client). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows low privileged
| attacker with logon to the infrastructure where MySQL Shell executes
| to compromise MySQL Shell. Successful attacks require human
| interaction from a person other than the attacker. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of MySQL Shell accessible data as well as
| unauthorized read access to a subset of MySQL Shell accessible data.
| CVSS 3.1 Base Score 3.9 (Confidentiality and Integrity impacts). CVSS
| Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).
CVE-2022-39408[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-39410[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21594[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21599[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Stored Procedure). Supported versions that are affected are
| 8.0.30 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21604[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.30 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21608[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 5.7.39
| and prior and 8.0.30 and prior. Easily exploitable vulnerability
| allows high privileged attacker with network access via multiple
| protocols to compromise MySQL Server. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21611[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.30 and prior.
| Difficult to exploit vulnerability allows high privileged attacker
| with logon to the infrastructure where MySQL Server executes to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.1 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21617[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Connection Handling). Supported versions that are affected are
| 5.7.39 and prior and 8.0.30 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
| 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21625[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.30
| and prior. Difficult to exploit vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21632[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Security: Privileges). Supported versions that are affected
| are 8.0.30 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21633[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Replication). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21637[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.30 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2022-21640[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.30
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39400
https://www.cve.org/CVERecord?id=CVE-2022-39400
[1] https://security-tracker.debian.org/tracker/CVE-2022-39402
https://www.cve.org/CVERecord?id=CVE-2022-39402
[2] https://security-tracker.debian.org/tracker/CVE-2022-39403
https://www.cve.org/CVERecord?id=CVE-2022-39403
[3] https://security-tracker.debian.org/tracker/CVE-2022-39408
https://www.cve.org/CVERecord?id=CVE-2022-39408
[4] https://security-tracker.debian.org/tracker/CVE-2022-39410
https://www.cve.org/CVERecord?id=CVE-2022-39410
[5] https://security-tracker.debian.org/tracker/CVE-2022-21594
https://www.cve.org/CVERecord?id=CVE-2022-21594
[6] https://security-tracker.debian.org/tracker/CVE-2022-21599
https://www.cve.org/CVERecord?id=CVE-2022-21599
[7] https://security-tracker.debian.org/tracker/CVE-2022-21604
https://www.cve.org/CVERecord?id=CVE-2022-21604
[8] https://security-tracker.debian.org/tracker/CVE-2022-21608
https://www.cve.org/CVERecord?id=CVE-2022-21608
[9] https://security-tracker.debian.org/tracker/CVE-2022-21611
https://www.cve.org/CVERecord?id=CVE-2022-21611
[10] https://security-tracker.debian.org/tracker/CVE-2022-21617
https://www.cve.org/CVERecord?id=CVE-2022-21617
[11] https://security-tracker.debian.org/tracker/CVE-2022-21625
https://www.cve.org/CVERecord?id=CVE-2022-21625
[12] https://security-tracker.debian.org/tracker/CVE-2022-21632
https://www.cve.org/CVERecord?id=CVE-2022-21632
[13] https://security-tracker.debian.org/tracker/CVE-2022-21633
https://www.cve.org/CVERecord?id=CVE-2022-21633
[14] https://security-tracker.debian.org/tracker/CVE-2022-21637
https://www.cve.org/CVERecord?id=CVE-2022-21637
[15] https://security-tracker.debian.org/tracker/CVE-2022-21640
https://www.cve.org/CVERecord?id=CVE-2022-21640
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
This is fixed in 8.0.31-1, just uploaded.
Sorry, I asked Lena to update the changelog to reference this bug and
the CVEs, but then accidentally uploaded the previous version. This is
my fault, but it's done now.
signature.asc
Description: PGP signature
--- End Message ---
