Your message dated Tue, 24 Jan 2023 23:25:16 +0000 with message-id <e1pksfe-0017nc...@fasolo.debian.org> and subject line Bug#1029151: fixed in mysql-8.0 8.0.32-1 has caused the Debian Bug report #1029151, regarding mysql-8.0: CVE-2023-21863 CVE-2023-21867 CVE-2023-21868 CVE-2023-21869 CVE-2023-21870 CVE-2023-21871 CVE-2023-21873 CVE-2023-21875 CVE-2023-21876 CVE-2023-21877 CVE-2023-21878 CVE-2023-21879 CVE-2023-21880 CVE-2023-21881 CVE-2023-21882 CVE-2023-21883 CVE-2023-21887 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1029151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029151 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. All fixed in 8.0.32. CVE-2023-21863[0]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21867[1]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21868[2]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows low privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21869[3]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.31 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server as well as unauthorized update, insert or delete | access to some of MySQL Server accessible data. CVSS 3.1 Base Score | 5.5 (Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2023-21870[4]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21871[5]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.31 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21873[6]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21875[7]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Security: Encryption). Supported versions that are affected | are 8.0.31 and prior. Difficult to exploit vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized creation, deletion or modification access to | critical data or all MySQL Server accessible data and unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H). CVE-2023-21876[8]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21877[9]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.31 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server as well as unauthorized update, insert or delete | access to some of MySQL Server accessible data. CVSS 3.1 Base Score | 5.5 (Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2023-21878[10]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21879[11]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21880[12]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 8.0.31 and prior. | Easily exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete DOS) | of MySQL Server as well as unauthorized update, insert or delete | access to some of MySQL Server accessible data. CVSS 3.1 Base Score | 5.5 (Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2023-21881[13]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21882[14]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Server | accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21883[15]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Optimizer). Supported versions that are affected are 8.0.31 | and prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21887[16]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: GIS). Supported versions that are affected are 8.0.31 and | prior. Easily exploitable vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-21863 https://www.cve.org/CVERecord?id=CVE-2023-21863 [1] https://security-tracker.debian.org/tracker/CVE-2023-21867 https://www.cve.org/CVERecord?id=CVE-2023-21867 [2] https://security-tracker.debian.org/tracker/CVE-2023-21868 https://www.cve.org/CVERecord?id=CVE-2023-21868 [3] https://security-tracker.debian.org/tracker/CVE-2023-21869 https://www.cve.org/CVERecord?id=CVE-2023-21869 [4] https://security-tracker.debian.org/tracker/CVE-2023-21870 https://www.cve.org/CVERecord?id=CVE-2023-21870 [5] https://security-tracker.debian.org/tracker/CVE-2023-21871 https://www.cve.org/CVERecord?id=CVE-2023-21871 [6] https://security-tracker.debian.org/tracker/CVE-2023-21873 https://www.cve.org/CVERecord?id=CVE-2023-21873 [7] https://security-tracker.debian.org/tracker/CVE-2023-21875 https://www.cve.org/CVERecord?id=CVE-2023-21875 [8] https://security-tracker.debian.org/tracker/CVE-2023-21876 https://www.cve.org/CVERecord?id=CVE-2023-21876 [9] https://security-tracker.debian.org/tracker/CVE-2023-21877 https://www.cve.org/CVERecord?id=CVE-2023-21877 [10] https://security-tracker.debian.org/tracker/CVE-2023-21878 https://www.cve.org/CVERecord?id=CVE-2023-21878 [11] https://security-tracker.debian.org/tracker/CVE-2023-21879 https://www.cve.org/CVERecord?id=CVE-2023-21879 [12] https://security-tracker.debian.org/tracker/CVE-2023-21880 https://www.cve.org/CVERecord?id=CVE-2023-21880 [13] https://security-tracker.debian.org/tracker/CVE-2023-21881 https://www.cve.org/CVERecord?id=CVE-2023-21881 [14] https://security-tracker.debian.org/tracker/CVE-2023-21882 https://www.cve.org/CVERecord?id=CVE-2023-21882 [15] https://security-tracker.debian.org/tracker/CVE-2023-21883 https://www.cve.org/CVERecord?id=CVE-2023-21883 [16] https://security-tracker.debian.org/tracker/CVE-2023-21887 https://www.cve.org/CVERecord?id=CVE-2023-21887 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: mysql-8.0 Source-Version: 8.0.32-1 Done: Lena Voytek <lena.voy...@canonical.com> We believe that the bug you reported is fixed in the latest version of mysql-8.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1029...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Lena Voytek <lena.voy...@canonical.com> (supplier of updated mysql-8.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Jan 2023 07:55:07 -0700 Source: mysql-8.0 Architecture: source Version: 8.0.32-1 Distribution: unstable Urgency: medium Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org> Changed-By: Lena Voytek <lena.voy...@canonical.com> Closes: 1029151 Changes: mysql-8.0 (8.0.32-1) unstable; urgency=medium . [ Lars Tangvald ] * Imported upstream version 8.0.32 to fix security issues - https://www.oracle.com/security-alerts/cpujan2023.html#AppendixMSQL - CVE-2022-32221 CVE-2023-21836 CVE-2023-21868 CVE-2023-21869 - CVE-2023-21871 CVE-2023-21875 CVE-2023-21877 CVE-2023-21863 - CVE-2023-21867 CVE-2023-21870 CVE-2023-21873 CVE-2023-21876 - CVE-2023-21878 CVE-2023-21879 CVE-2023-21880 CVE-2023-21881 - CVE-2023-21883 CVE-2023-21882 CVE-2023-21887 Upstream release notes: - https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-32.html (Closes: #1029151) * debian/rules: Exclude mysql.info from package install * debian/mysql-router-8.0.install: Added new files . [ Marc Deslauriers ] * debian/patches/disable_timestamping_test.path: disable test that fails to build on certain archs because of the presence of sizeof in macros. . [ Lena Voytek ] * debian/rules: Remove changelog install override containing empty file Docs/Changelog Checksums-Sha1: 6a54d0ca56ac79ce425c024fa6b50250c3f188d5 3415 mysql-8.0_8.0.32-1.dsc 973c4cf495bceaa8387f675e528010c2eed20e97 436207624 mysql-8.0_8.0.32.orig.tar.gz 8e227e0d3fd99180e584d988b5eb40e9588fef24 143748 mysql-8.0_8.0.32-1.debian.tar.xz 8e07db05d9e526c2b1830a1ce11b44f1ff794078 4979 mysql-8.0_8.0.32-1_source.buildinfo Checksums-Sha256: 7cde936afac6058b5bf006d80c2a9ce95c382f6788226cdb847b4c58277e8d61 3415 mysql-8.0_8.0.32-1.dsc 1a83a2e1712a2d20b80369c45cecbfcc7be9178d4fc0e81ffba5c273ce947389 436207624 mysql-8.0_8.0.32.orig.tar.gz 9058c59557c8f566d47387767989032c7b14b4fd8294a3e5a9d1fa43702e987a 143748 mysql-8.0_8.0.32-1.debian.tar.xz dc373aa99ade7478c9df31f38599a27fc7474509085a2acb1ac64575eeb3bc53 4979 mysql-8.0_8.0.32-1_source.buildinfo Files: 44d9dd3e464eed29823b680767978811 3415 database optional mysql-8.0_8.0.32-1.dsc ac9445f619135336c8b4553d4e81b684 436207624 database optional mysql-8.0_8.0.32.orig.tar.gz 3d884d66080412c090d414b11cc1c98c 143748 database optional mysql-8.0_8.0.32-1.debian.tar.xz 7525e111f156cbeee8175438d025b392 4979 database optional mysql-8.0_8.0.32-1_source.buildinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJj0F3oAAoJEOVkucJ1vdUujeMQALQFnmlmjsAb7Qg3MPvLDlpb 167ptnLJISCmmV6woVBK6stY33wSRzDQuWcquLiWetPwpyKFUKpVqSDkX9QVr3QV iAqbasMzYxJb1iry8DaGF+/Ua6SGfODpkBoPRgr7VgwgW75LLtvqqcqabobpBftD ncxZJo3/W9BXMhIXnzRCu9zyREp26qmtxDDfFn6hYiaThLSRAb1txhI2FPybM7ex FXbTRP9OP7SXufC3XpP++7ztgnaM3Atsuk5aU75f26ScrElSqATb8NsWmKUq8eYA h9yrKs7MoY5jEz6LEF2CdtKDTmF0kOaUuZKf6mCXzPF+hDCLUuzYGTyhiV6SkqHW pOPDFhJzn8BPup5nSpuiNucBOYz4NR2Kg6y9cFWPS18Ox3/ZNWiHnGC8YKoEAnyw cIvL4WFe/qF9o+hbZGKSbShHNuuOV/eKYCg4ePh0P3thpcbqWste+RdP6xK4pdla QSV21q/piMoWsw8GIYt5mP8oIgcN5QPCIfC0Fl69ECpcog8GFGWSZ/SVfSmOMW/s hkABr/qhdrQ1Wlh+Q4JKnfDSxX0Q2kR3HmVd12gw74jGTWkYoRMEtJO5dnKNUcLx A8MTTePxBgwXFklRdZGns6IAfJ81LtJyEl0lQ2uxoy400YhdsgkBhYoQ/3DWMZpb EhEdAMzm/fy8UikQUZkP =3qSa -----END PGP SIGNATURE-----
--- End Message ---
