Your message dated Thu, 23 Jan 2025 22:15:24 +0000
with message-id <e1tb5tw-00eojw...@fasolo.debian.org>
and subject line Bug#1093877: fixed in mysql-8.0 8.0.41-1
has caused the Debian Bug report #1093877,
regarding mysql-8.0: CVE-2025-21555 CVE-2025-21559 CVE-2025-21540
CVE-2025-21543 CVE-2025-21546 CVE-2025-21490 CVE-2025-21491 CVE-2025-21497
CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21505 CVE-2025-21518
CVE-2025-21519 CVE-2025-21520 CVE-2025-21522 CVE-2025-21523 CVE-2025-21529
CVE-2025-21531
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1093877: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093877
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mysql-8.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2025-21555[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server as well as unauthorized update, insert or
| delete access to some of MySQL Server accessible data. CVSS 3.1 Base
| Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2025-21559[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server as well as unauthorized update, insert or
| delete access to some of MySQL Server accessible data. CVSS 3.1 Base
| Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2025-21540[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized update, insert or delete access to some of MySQL
| Server accessible data as well as unauthorized read access to a
| subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
CVE-2025-21543[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Packaging). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21546[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized update, insert or delete access to some of MySQL
| Server accessible data as well as unauthorized read access to a
| subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
CVE-2025-21490[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21491[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21497[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server as well as unauthorized update, insert or
| delete access to some of MySQL Server accessible data. CVSS 3.1 Base
| Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2025-21500[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21501[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21503[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21505[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Components Services). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21518[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21519[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Difficult to exploit vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21520[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Options). Supported versions that are affected
| are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior.
| Difficult to exploit vulnerability allows high privileged attacker
| with logon to the infrastructure where MySQL Server executes to
| compromise MySQL Server. Successful attacks require human
| interaction from a person other than the attacker. Successful
| attacks of this vulnerability can result in unauthorized read
| access to a subset of MySQL Server accessible data. CVSS 3.1 Base
| Score 1.8 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N).
CVE-2025-21522[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Parser). Supported versions that are affected
| are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21523[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21529[17]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Information Schema). Supported versions that
| are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2025-21531[18]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-21555
https://www.cve.org/CVERecord?id=CVE-2025-21555
[1] https://security-tracker.debian.org/tracker/CVE-2025-21559
https://www.cve.org/CVERecord?id=CVE-2025-21559
[2] https://security-tracker.debian.org/tracker/CVE-2025-21540
https://www.cve.org/CVERecord?id=CVE-2025-21540
[3] https://security-tracker.debian.org/tracker/CVE-2025-21543
https://www.cve.org/CVERecord?id=CVE-2025-21543
[4] https://security-tracker.debian.org/tracker/CVE-2025-21546
https://www.cve.org/CVERecord?id=CVE-2025-21546
[5] https://security-tracker.debian.org/tracker/CVE-2025-21490
https://www.cve.org/CVERecord?id=CVE-2025-21490
[6] https://security-tracker.debian.org/tracker/CVE-2025-21491
https://www.cve.org/CVERecord?id=CVE-2025-21491
[7] https://security-tracker.debian.org/tracker/CVE-2025-21497
https://www.cve.org/CVERecord?id=CVE-2025-21497
[8] https://security-tracker.debian.org/tracker/CVE-2025-21500
https://www.cve.org/CVERecord?id=CVE-2025-21500
[9] https://security-tracker.debian.org/tracker/CVE-2025-21501
https://www.cve.org/CVERecord?id=CVE-2025-21501
[10] https://security-tracker.debian.org/tracker/CVE-2025-21503
https://www.cve.org/CVERecord?id=CVE-2025-21503
[11] https://security-tracker.debian.org/tracker/CVE-2025-21505
https://www.cve.org/CVERecord?id=CVE-2025-21505
[12] https://security-tracker.debian.org/tracker/CVE-2025-21518
https://www.cve.org/CVERecord?id=CVE-2025-21518
[13] https://security-tracker.debian.org/tracker/CVE-2025-21519
https://www.cve.org/CVERecord?id=CVE-2025-21519
[14] https://security-tracker.debian.org/tracker/CVE-2025-21520
https://www.cve.org/CVERecord?id=CVE-2025-21520
[15] https://security-tracker.debian.org/tracker/CVE-2025-21522
https://www.cve.org/CVERecord?id=CVE-2025-21522
[16] https://security-tracker.debian.org/tracker/CVE-2025-21523
https://www.cve.org/CVERecord?id=CVE-2025-21523
[17] https://security-tracker.debian.org/tracker/CVE-2025-21529
https://www.cve.org/CVERecord?id=CVE-2025-21529
[18] https://security-tracker.debian.org/tracker/CVE-2025-21531
https://www.cve.org/CVERecord?id=CVE-2025-21531
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: mysql-8.0
Source-Version: 8.0.41-1
Done: Lena Voytek <lena.voy...@canonical.com>
We believe that the bug you reported is fixed in the latest version of
mysql-8.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1093...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lena Voytek <lena.voy...@canonical.com> (supplier of updated mysql-8.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Jan 2025 09:08:13 -0500
Source: mysql-8.0
Built-For-Profiles: noudeb
Architecture: source
Version: 8.0.41-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org>
Changed-By: Lena Voytek <lena.voy...@canonical.com>
Closes: 1093877
Changes:
mysql-8.0 (8.0.41-1) unstable; urgency=medium
.
* Imported upstream version 8.0.41 to fix security issues
- https://www.oracle.com/security-alerts/cpujan2025.html#AppendixMSQL
- CVE-2024-11053 CVE-2025-21490 CVE-2025-21491 CVE-2025-21495
CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503
CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520
CVE-2025-21522 CVE-2025-21523 CVE-2025-21529 CVE-2025-21531
CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555
CVE-2025-21559
Upstream release notes:
- https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-41.html
(Closes: #1093877)
Checksums-Sha1:
fdf45dbdd41f934f7add943f4bfedd8e84b8b7df 3727 mysql-8.0_8.0.41-1.dsc
7950b1494deb5fbabed8bf0ff09b2d38cac77066 488749630 mysql-8.0_8.0.41.orig.tar.gz
e65528ab29f0bffc8fdb2ef4fb24bc0ab66022ce 833 mysql-8.0_8.0.41.orig.tar.gz.asc
c9e5bd55ceefe0cddc96b6d976bea3457b06ac3a 146604
mysql-8.0_8.0.41-1.debian.tar.xz
97681b03a7a3cdde60e5a1a149c7f44ba9485119 7618
mysql-8.0_8.0.41-1_source.buildinfo
Checksums-Sha256:
9457c79aeba53db71ed05364364252e9b2810b039c95be771e2a5f5fcf5ca056 3727
mysql-8.0_8.0.41-1.dsc
719589993b1a6769edb82b59f28e0dab8d47df94fa53ac4e9340b7c5eaba937c 488749630
mysql-8.0_8.0.41.orig.tar.gz
c16831c74e6bef4dea402538ad9a2ed0707ab45d02a6ec6b084fb0a8998de3e5 833
mysql-8.0_8.0.41.orig.tar.gz.asc
efee2b5a6f38e64a88308fe1d20eda7674274dece9180ce7b9b7e0f87569f7a8 146604
mysql-8.0_8.0.41-1.debian.tar.xz
5b2b28042c65e476affa88131598a3f93e9d397c929e9759c40de81d60cf3990 7618
mysql-8.0_8.0.41-1_source.buildinfo
Files:
8088265a537fc8e5c12274d2f5c54972 3727 database optional mysql-8.0_8.0.41-1.dsc
6836fe6426f9d5b6c3ff576b9d1e147f 488749630 database optional
mysql-8.0_8.0.41.orig.tar.gz
23cdd3fbe6ccd241fa509ce40197fbb0 833 database optional
mysql-8.0_8.0.41.orig.tar.gz.asc
b1b42cb5ba0d8d860b31a6122971ef6d 146604 database optional
mysql-8.0_8.0.41-1.debian.tar.xz
ef44c448bc23348ba5074cdf280c607d 7618 database optional
mysql-8.0_8.0.41-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEY+78PeFNUUbOfyS/NLitfZUp55MFAmeSmfsACgkQNLitfZUp
55MEuRAAsIK72qRQfZQu/kFinlBBmGYTU5GtmKoeV54oy1mgEPB64CWRu5WUUNMj
3ssfQlhLZcGRvFKU6NNkAY5anjrO+tK/n9WiqBsXnJCvsODgkB1u91hRVqE91wdZ
7920blrvmRdkbM6hWdwcUUkv5k3+bSSbrK0wDjvChyB/07MF7c7+3qzQZuDXEg0c
x2Bin6as6b2Rc+e8XZcyTrO8JZE3o46gYhVNlo/gQc6PvxP5QepGaZVahII57XZX
X7i0FN3BZFb48RkR++WD8h2tL2AG0Ycd36vYs3XLsXYDJyR39GU1WTLzXZ9pouw2
TU+UJwt2lHi1MzY4FVzQL09D7Ppnhbon44DYTSMwEr+yrAdHP1MsN1nwcCo1LYck
wfVWnVbczLxBr8FTbVAEjAZmvzNqpS8aymmXYjb+zGIdR46y3o11VRySfB9z4PPt
9oQgBGmoFygvQpfsph36vckvFwlOAw+dDuF73K+XKFKZ69csj3bVj3wFiTyNhp8e
ArZPWVHQNTGtxAM06pNi0v9BJqiiOUbn0AdLcUF/oBw9K5Y4cInsjkqp3y7mZCR2
6jwWgD+Yo2+8fQjMknSNqLmfDRRbqeXgLo5AprQOdts2SP7T32VIFUKl0UOG0nTF
JwyveETqjOALyUCK5dnzsvS84SLGJ4D66DY6R9T4m4tyc9VHavM=
=s7TX
-----END PGP SIGNATURE-----
pgpgnLdxvzeyB.pgp
Description: PGP signature
--- End Message ---
