Your message dated Mon, 14 Nov 2022 22:52:55 +0100 with message-id <y3k4t61vfut+c...@eldamar.lan> and subject line [ftpmas...@ftp-master.debian.org: Accepted mysql-8.0 8.0.31-1 (source) into unstable] has caused the Debian Bug report #1024016, regarding mysql-8.0: CVE-2022-39400 CVE-2022-39402 CVE-2022-39403 CVE-2022-39408 CVE-2022-39410 CVE-2022-21594 CVE-2022-21599 CVE-2022-21604 CVE-2022-21608 CVE-2022-21611 CVE-2022-21617 CVE-2022-21625 CVE-2022-21632 CVE-2022-21633 CVE-2022-21637 CVE-2022-21640 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1024016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024016 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2022-39400[0]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-39402[1]: | Vulnerability in the MySQL Shell product of Oracle MySQL (component: | Shell: Core Client). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows unauthenticated | attacker with logon to the infrastructure where MySQL Shell executes | to compromise MySQL Shell. While the vulnerability is in MySQL Shell, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | read access to a subset of MySQL Shell accessible data. CVSS 3.1 Base | Score 4.3 (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N). CVE-2022-39403[2]: | Vulnerability in the MySQL Shell product of Oracle MySQL (component: | Shell: Core Client). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows low privileged | attacker with logon to the infrastructure where MySQL Shell executes | to compromise MySQL Shell. Successful attacks require human | interaction from a person other than the attacker. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of MySQL Shell accessible data as well as | unauthorized read access to a subset of MySQL Shell accessible data. | CVSS 3.1 Base Score 3.9 (Confidentiality and Integrity impacts). CVSS | Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N). CVE-2022-39408[3]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows low privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2022-39410[4]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows low privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21594[5]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21599[6]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Stored Procedure). Supported versions that are affected are | 8.0.30 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21604[7]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.30 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21608[8]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 5.7.39 | and prior and 8.0.30 and prior. Easily exploitable vulnerability | allows high privileged attacker with network access via multiple | protocols to compromise MySQL Server. Successful attacks of this | vulnerability can result in unauthorized ability to cause a hang or | frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21611[9]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.30 and prior. | Difficult to exploit vulnerability allows high privileged attacker | with logon to the infrastructure where MySQL Server executes to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.1 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21617[10]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Connection Handling). Supported versions that are affected are | 5.7.39 and prior and 8.0.30 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access via | multiple protocols to compromise MySQL Server. Successful attacks of | this vulnerability can result in unauthorized ability to cause a hang | or frequently repeatable crash (complete DOS) of MySQL Server. CVSS | 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21625[11]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Difficult to exploit vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21632[12]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Security: Privileges). Supported versions that are affected | are 8.0.30 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score | 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21633[13]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Replication). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21637[14]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.30 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21640[15]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.30 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39400 https://www.cve.org/CVERecord?id=CVE-2022-39400 [1] https://security-tracker.debian.org/tracker/CVE-2022-39402 https://www.cve.org/CVERecord?id=CVE-2022-39402 [2] https://security-tracker.debian.org/tracker/CVE-2022-39403 https://www.cve.org/CVERecord?id=CVE-2022-39403 [3] https://security-tracker.debian.org/tracker/CVE-2022-39408 https://www.cve.org/CVERecord?id=CVE-2022-39408 [4] https://security-tracker.debian.org/tracker/CVE-2022-39410 https://www.cve.org/CVERecord?id=CVE-2022-39410 [5] https://security-tracker.debian.org/tracker/CVE-2022-21594 https://www.cve.org/CVERecord?id=CVE-2022-21594 [6] https://security-tracker.debian.org/tracker/CVE-2022-21599 https://www.cve.org/CVERecord?id=CVE-2022-21599 [7] https://security-tracker.debian.org/tracker/CVE-2022-21604 https://www.cve.org/CVERecord?id=CVE-2022-21604 [8] https://security-tracker.debian.org/tracker/CVE-2022-21608 https://www.cve.org/CVERecord?id=CVE-2022-21608 [9] https://security-tracker.debian.org/tracker/CVE-2022-21611 https://www.cve.org/CVERecord?id=CVE-2022-21611 [10] https://security-tracker.debian.org/tracker/CVE-2022-21617 https://www.cve.org/CVERecord?id=CVE-2022-21617 [11] https://security-tracker.debian.org/tracker/CVE-2022-21625 https://www.cve.org/CVERecord?id=CVE-2022-21625 [12] https://security-tracker.debian.org/tracker/CVE-2022-21632 https://www.cve.org/CVERecord?id=CVE-2022-21632 [13] https://security-tracker.debian.org/tracker/CVE-2022-21633 https://www.cve.org/CVERecord?id=CVE-2022-21633 [14] https://security-tracker.debian.org/tracker/CVE-2022-21637 https://www.cve.org/CVERecord?id=CVE-2022-21637 [15] https://security-tracker.debian.org/tracker/CVE-2022-21640 https://www.cve.org/CVERecord?id=CVE-2022-21640 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: mysql-8.0 Source-Version: 8.0.31-1 ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 03 Nov 2022 16:17:45 +0100 Source: mysql-8.0 Binary: libmysqlclient21 libmysqlclient-dev mysql-client-core-8.0 mysql-client-8.0 mysql-server-core-8.0 mysql-server-8.0 mysql-server mysql-client mysql-testsuite mysql-testsuite-8.0 mysql-source-8.0 mysql-router Architecture: source Version: 8.0.31-1 Distribution: unstable Urgency: medium Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org> Changed-By: Lena Voytek <lena.voy...@canonical.com> Description: libmysqlclient-dev - MySQL database development files libmysqlclient21 - MySQL database client library mysql-client - MySQL database client (metapackage depending on the latest versio mysql-client-8.0 - MySQL database client binaries mysql-client-core-8.0 - MySQL database core client binaries mysql-router - route connections from MySQL clients to MySQL servers mysql-server - MySQL database server (metapackage depending on the latest versio mysql-server-8.0 - MySQL database server binaries and system database setup mysql-server-core-8.0 - MySQL database server binaries mysql-source-8.0 - MySQL source mysql-testsuite - MySQL regression tests mysql-testsuite-8.0 - MySQL 8.0 testsuite Launchpad-Bugs-Fixed: 1899248 1921378 1992453 Changes: mysql-8.0 (8.0.31-1) unstable; urgency=medium . [ Marc Deslauriers ] * SECURITY UPDATE: Update to 8.0.31 to fix security issues (LP: #1992453) - CVE numbers pending * Disable main.derived_limit test failing on s390x . [ Lars Tangvald ] * Remove d/p/fix_path_mysql_keyring_encryption_test.patch: Fixed upstream * debian/mysql-testsuite-8.0.install: added new files. . [ Bryce Harrington ] * Improve source_mysql-8.0.py apport hook . [ Lena Voytek ] * Increase stop_server timeout in postinst file (LP: #1899248) * Fix apport symbolic link report error for my.cnf * Confirm mysqld shuts down in postinst (LP: #1921378) Checksums-Sha1: f048960ac795074d3aaa5beffd65f5b139d445b7 3380 mysql-8.0_8.0.31-1.dsc dbb0eaa93e3f84acfd48efb3ad86a0eb96ef372e 334504577 mysql-8.0_8.0.31.orig.tar.gz 938231bd2ae962837b126a2bc2e2bc30f6c00911 143456 mysql-8.0_8.0.31-1.debian.tar.xz Checksums-Sha256: ddffff78830fcaee9ba6130a854bb79184088b02d00c73dcde18144ea96c95fb 3380 mysql-8.0_8.0.31-1.dsc 7867f3fd8ca423d283a6162c819c766863ecffbf9b59b4756dc7bb81184c1d6a 334504577 mysql-8.0_8.0.31.orig.tar.gz 69e23bfd3344f6d82a7e0f25a6751f4e0be7b20f4af42cfd848ee3441e274a83 143456 mysql-8.0_8.0.31-1.debian.tar.xz Files: 9ba24063642307f27884ff6bd368b023 3380 database optional mysql-8.0_8.0.31-1.dsc 0899fd341ce46f26446e428a7fbd2d46 334504577 database optional mysql-8.0_8.0.31.orig.tar.gz 4d4ce86dfd530d49044866ad45a0d560 143456 database optional mysql-8.0_8.0.31-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJjcqawAAoJEOVkucJ1vdUuQGIQAJlvt5FEObqJXqOhXPGP8zFB FX2MfcX4cbaOu+n1oz4/uKtmzS6Vz6XQ9qz6w2Lg0LxJBrsOf59P5pgCAbLYATKg GqZeEE1eKtchQA2f32O+zijyFwbteQyl0pHnvuiwn73gmO4o6dvNcRj41JQIG3eH bmExl+H5LSlnVFdYYVunSYjj5RVjoLrVTTju5LoxtKonLLnLj+Nb2WC3mbP2kJiL dkhKeJPtrxWjD9BNZ2gxNXLYdokyL5b0ZwiD8HoymFqcs7HxIkVhh2LAZUuL80A4 5NHRUk9vOHcoEQo1oFIDrOGQy6t146Rtnx0cTdb5cfeB6a7lscH+VSqVv1K5uNxF gvG7HNjw3Pab8iLcAtWAsZHcbyrZSBkkQH2ZW7kxedIRLBzHqwBtjzOBgwC8hGBl XLvTLJUj/4X5mOvoO0OQcLch6y6/UmpBnHYlMR0M1piOcakDo7zN2gLgJzbQJqmp jFATWik7Ba/QNIwN1xeJyoJ6+pk/0FHM0J7C39OnZ5gR2WhNxHTdfDHifsgMT8vL bAuSZ1cn2jv9ltQXZqJT9J9Mx+j0z1ZclXWU0pUsGJu/DlLqketd4wHTX2VhMC4D IliQ5/kBSHouZQvHHVjSVpQZ4IqabgJxlMFViOt8HnNuEV7gTtDLF2wKNDzsl2B3 4GJkttzHUQ/rUGaXAYe0 =EhwX -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
