Your message dated Tue, 14 May 2024 12:42:18 +0000
with message-id <e1s6ru2-009ljx...@fasolo.debian.org>
and subject line Bug#1069189: fixed in mysql-8.0 8.0.37-1
has caused the Debian Bug report #1069189,
regarding mysql-8.0: CVE-2024-21102 CVE-2024-21096 CVE-2024-21087
CVE-2024-21069 CVE-2024-21062 CVE-2024-21060 CVE-2024-21054 CVE-2024-21047
CVE-2024-21013 CVE-2024-21009 CVE-2024-21008 CVE-2024-21000 CVE-2024-20998
CVE-2024-20994
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1069189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069189
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mysql-8.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2024-21102[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Thread Pooling). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21096[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Client: mysqldump). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to
| exploit vulnerability allows unauthenticated attacker with logon to
| the infrastructure where MySQL Server executes to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized update, insert or delete access to some of MySQL Server
| accessible data as well as unauthorized read access to a subset of
| MySQL Server accessible data and unauthorized ability to cause a
| partial denial of service (partial DOS) of MySQL Server. CVSS 3.1
| Base Score 4.9 (Confidentiality, Integrity and Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
CVE-2024-21087[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Group Replication Plugin). Supported versions
| that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21069[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: DDL). Supported versions that are affected are
| 8.0.36 and prior and 8.3.0 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access
| via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21062[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21060[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Data Dictionary). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21054[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21047[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.36 and prior and 8.3.0 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access
| via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21013[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to
| exploit vulnerability allows high privileged attacker with network
| access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21009[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21008[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to
| exploit vulnerability allows high privileged attacker with network
| access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21000[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Security: Privileges). Supported versions that
| are affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| update, insert or delete access to some of MySQL Server accessible
| data as well as unauthorized read access to a subset of MySQL
| Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and
| Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-20998[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.36 and prior and 8.3.0 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-20994[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Information Schema). Supported versions that
| are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to
| exploit vulnerability allows low privileged attacker with network
| access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21102
https://www.cve.org/CVERecord?id=CVE-2024-21102
[1] https://security-tracker.debian.org/tracker/CVE-2024-21096
https://www.cve.org/CVERecord?id=CVE-2024-21096
[2] https://security-tracker.debian.org/tracker/CVE-2024-21087
https://www.cve.org/CVERecord?id=CVE-2024-21087
[3] https://security-tracker.debian.org/tracker/CVE-2024-21069
https://www.cve.org/CVERecord?id=CVE-2024-21069
[4] https://security-tracker.debian.org/tracker/CVE-2024-21062
https://www.cve.org/CVERecord?id=CVE-2024-21062
[5] https://security-tracker.debian.org/tracker/CVE-2024-21060
https://www.cve.org/CVERecord?id=CVE-2024-21060
[6] https://security-tracker.debian.org/tracker/CVE-2024-21054
https://www.cve.org/CVERecord?id=CVE-2024-21054
[7] https://security-tracker.debian.org/tracker/CVE-2024-21047
https://www.cve.org/CVERecord?id=CVE-2024-21047
[8] https://security-tracker.debian.org/tracker/CVE-2024-21013
https://www.cve.org/CVERecord?id=CVE-2024-21013
[9] https://security-tracker.debian.org/tracker/CVE-2024-21009
https://www.cve.org/CVERecord?id=CVE-2024-21009
[10] https://security-tracker.debian.org/tracker/CVE-2024-21008
https://www.cve.org/CVERecord?id=CVE-2024-21008
[11] https://security-tracker.debian.org/tracker/CVE-2024-21000
https://www.cve.org/CVERecord?id=CVE-2024-21000
[12] https://security-tracker.debian.org/tracker/CVE-2024-20998
https://www.cve.org/CVERecord?id=CVE-2024-20998
[13] https://security-tracker.debian.org/tracker/CVE-2024-20994
https://www.cve.org/CVERecord?id=CVE-2024-20994
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: mysql-8.0
Source-Version: 8.0.37-1
Done: Lena Voytek <lena.voy...@canonical.com>
We believe that the bug you reported is fixed in the latest version of
mysql-8.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lena Voytek <lena.voy...@canonical.com> (supplier of updated mysql-8.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 14 May 2024 12:10:48 +0200
Source: mysql-8.0
Built-For-Profiles: noudeb
Architecture: source
Version: 8.0.37-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org>
Changed-By: Lena Voytek <lena.voy...@canonical.com>
Closes: 1069189
Changes:
mysql-8.0 (8.0.37-1) unstable; urgency=medium
.
* Imported upstream version 8.0.37 to fix security issues
- https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixMSQL
- CVE-2023-6129 CVE-2024-20993 CVE-2024-20994 CVE-2024-20998 CVE-2024-21000
CVE-2024-21009 CVE-2024-21013 CVE-2024-21015 CVE-2024-21047
CVE-2024-21049 CVE-2024-21050 CVE-2024-21051 CVE-2024-21052
CVE-2024-21053 CVE-2024-21054 CVE-2024-21055 CVE-2024-21056
CVE-2024-21057 CVE-2024-21060 CVE-2024-21061 CVE-2024-21062
CVE-2024-21069 CVE-2024-21087 CVE-2024-21096 CVE-2024-21102
Upstream release notes:
- https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-37.html
(Closes: #1069189)
* d/p/revert_faster_tls_model.patch: Refresh
Checksums-Sha1:
63e43c4b1a03cb60ac6481d0f4ef0b233a7935a2 3764 mysql-8.0_8.0.37-1.dsc
8833609dfd564b518796852923c21aa05f95c9f0 445594692 mysql-8.0_8.0.37.orig.tar.gz
feed7c51b2c0525a169ec328c1e19276b41dcfd3 833 mysql-8.0_8.0.37.orig.tar.gz.asc
7e194d603faa890f18f25d274a71f5584f91784d 145568
mysql-8.0_8.0.37-1.debian.tar.xz
deffe792968a730674d26a29b3fe9644c593fe47 7118
mysql-8.0_8.0.37-1_source.buildinfo
Checksums-Sha256:
60d9d0be5284e9e1a6cd1ec4f101c20b1bced7769fa6a30b5801ca312798ff49 3764
mysql-8.0_8.0.37-1.dsc
fe0c7986f6a2d6a2ddf65e00aadb90fa6cb73da38c4172dc2b930dd1c2dc4af6 445594692
mysql-8.0_8.0.37.orig.tar.gz
89fa6c3675f01d23816583552d31a5388f4a862b48067f30664ec9dfcbb55ddd 833
mysql-8.0_8.0.37.orig.tar.gz.asc
45a3f5b733fba21afcadb9a3c2919e9ee0557b88a249a38c8d796dec8d86ae14 145568
mysql-8.0_8.0.37-1.debian.tar.xz
527f61ce776c3627c9676bbed9f15a2bc2c5ea00a8084af13f7091e114672620 7118
mysql-8.0_8.0.37-1_source.buildinfo
Files:
1838fc3de702d258f3de472b12afee4e 3764 database optional mysql-8.0_8.0.37-1.dsc
e0cb61cbf6e1144c452368c4535ae931 445594692 database optional
mysql-8.0_8.0.37.orig.tar.gz
6512b70c4dedb8fcc5b704f5610fbbcb 833 database optional
mysql-8.0_8.0.37.orig.tar.gz.asc
25dcf794c93ff1c7dad9090e6eaf6fe7 145568 database optional
mysql-8.0_8.0.37-1.debian.tar.xz
c36e22b5664e70b265aebf28cd92910d 7118 database optional
mysql-8.0_8.0.37-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEEY+78PeFNUUbOfyS/NLitfZUp55MFAmZDTzwaHGxlbmEudm95
dGVrQGNhbm9uaWNhbC5jb20ACgkQNLitfZUp55NTchAAoIhc+WiUoaDLA86Vuv7n
Oqvv3AF9z9GkWiBgu+ZgWDaNWfvs8jYJIXKwMaa28rt1qQYEqobQiT9V/w2RDnPX
l2cu+yUHmwhDUWykGKCX3hDlOO/925uir+T1rAW6HTM/o43weg18djlUIfy6K0na
+chaiv1cdjDeWCKIcEnLRxB/vnZnjssaotJMFcQEH/DFvNkyxEWRk/lM5nnXqARW
ot+j6nGdWMFeE4NgFiHap2cIt20O+W+J0fEWNEdaftCYsbo4iT1oocQLigqWimQ2
DBqie81hKfbLnLnX6rwTtqmoPsk6/ajDhU4TdXZu7GRPsVlkl45holYd5Nf6IYus
32NLuCE7cewOaBSeknP+uZNos5cqn/tn/EPND1EGK4WpJr4fmDHPcOEu5VPzN0Wi
ccLZPWQ2RPU7l5aRPjPEhreokRLtbaN8IOYuKQvoju/drVjxBYZc+i7Mndr1n8aq
TJ7+qKErxYCC7GXnBYpu/xwIBXiQRwQsHkJDe8dFnKLRUqZyVVY2aSFX9glDvCmS
x3qWbrEczH3egXrtBMtjpTo+y1u1wfNdwmfCw4JGebPrEFH+eq9h2jmaQcPdw3xO
Qq5P2vsuZVyiRO7Sfu+gncHnrMPj4ses+FqC3bVtJIo2963/S2EamVphhrF2Fqaw
cpA40RFZsMRF2sQb2tG1924=
=I7pR
-----END PGP SIGNATURE-----
pgptGb4LlH5hp.pgp
Description: PGP signature
--- End Message ---
