Your message dated Wed, 24 May 2023 10:24:44 +0000
with message-id <e1q1lfg-00ewgk...@fasolo.debian.org>
and subject line Bug#1034719: fixed in mysql-8.0 8.0.33-1
has caused the Debian Bug report #1034719,
regarding mysql-8.0: CVE-2023-21982 CVE-2023-21980 CVE-2023-21977
CVE-2023-21976 CVE-2023-21972 CVE-2023-21966 CVE-2023-21962 CVE-2023-21955
CVE-2023-21953 CVE-2023-21947 CVE-2023-21946 CVE-2023-21945 CVE-2023-21940
CVE-2023-21935 CVE-2023-21933 CVE-2023-21929 CVE-2023-21920 CVE-2023-21919
CVE-2023-21911
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1034719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034719
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mysql-8.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2023-21982[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21980[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Client programs). Supported versions that are affected are 5.7.41 and
| prior and 8.0.32 and prior. Difficult to exploit vulnerability allows
| low privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks require human interaction
| from a person other than the attacker. Successful attacks of this
| vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base
| Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
CVE-2023-21977[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21976[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21972[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DML). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21966[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: JSON). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21962[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Components Services). Supported versions that are affected are
| 8.0.32 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21955[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Partition). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21953[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Partition). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21947[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Components Services). Supported versions that are affected are
| 8.0.32 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21946[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21945[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21940[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Components Services). Supported versions that are affected are
| 8.0.32 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21935[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21933[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DDL). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21929[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DDL). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server as well as unauthorized update, insert
| or delete access to some of MySQL Server accessible data. CVSS 3.1
| Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2023-21920[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21919[17]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DDL). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21911[18]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.32 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-21982
https://www.cve.org/CVERecord?id=CVE-2023-21982
[1] https://security-tracker.debian.org/tracker/CVE-2023-21980
https://www.cve.org/CVERecord?id=CVE-2023-21980
[2] https://security-tracker.debian.org/tracker/CVE-2023-21977
https://www.cve.org/CVERecord?id=CVE-2023-21977
[3] https://security-tracker.debian.org/tracker/CVE-2023-21976
https://www.cve.org/CVERecord?id=CVE-2023-21976
[4] https://security-tracker.debian.org/tracker/CVE-2023-21972
https://www.cve.org/CVERecord?id=CVE-2023-21972
[5] https://security-tracker.debian.org/tracker/CVE-2023-21966
https://www.cve.org/CVERecord?id=CVE-2023-21966
[6] https://security-tracker.debian.org/tracker/CVE-2023-21962
https://www.cve.org/CVERecord?id=CVE-2023-21962
[7] https://security-tracker.debian.org/tracker/CVE-2023-21955
https://www.cve.org/CVERecord?id=CVE-2023-21955
[8] https://security-tracker.debian.org/tracker/CVE-2023-21953
https://www.cve.org/CVERecord?id=CVE-2023-21953
[9] https://security-tracker.debian.org/tracker/CVE-2023-21947
https://www.cve.org/CVERecord?id=CVE-2023-21947
[10] https://security-tracker.debian.org/tracker/CVE-2023-21946
https://www.cve.org/CVERecord?id=CVE-2023-21946
[11] https://security-tracker.debian.org/tracker/CVE-2023-21945
https://www.cve.org/CVERecord?id=CVE-2023-21945
[12] https://security-tracker.debian.org/tracker/CVE-2023-21940
https://www.cve.org/CVERecord?id=CVE-2023-21940
[13] https://security-tracker.debian.org/tracker/CVE-2023-21935
https://www.cve.org/CVERecord?id=CVE-2023-21935
[14] https://security-tracker.debian.org/tracker/CVE-2023-21933
https://www.cve.org/CVERecord?id=CVE-2023-21933
[15] https://security-tracker.debian.org/tracker/CVE-2023-21929
https://www.cve.org/CVERecord?id=CVE-2023-21929
[16] https://security-tracker.debian.org/tracker/CVE-2023-21920
https://www.cve.org/CVERecord?id=CVE-2023-21920
[17] https://security-tracker.debian.org/tracker/CVE-2023-21919
https://www.cve.org/CVERecord?id=CVE-2023-21919
[18] https://security-tracker.debian.org/tracker/CVE-2023-21911
https://www.cve.org/CVERecord?id=CVE-2023-21911
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: mysql-8.0
Source-Version: 8.0.33-1
Done: Lena Voytek <lena.voy...@canonical.com>
We believe that the bug you reported is fixed in the latest version of
mysql-8.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1034...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lena Voytek <lena.voy...@canonical.com> (supplier of updated mysql-8.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 May 2023 16:10:59 -0700
Source: mysql-8.0
Binary: libmysqlclient21 libmysqlclient-dev mysql-client-core-8.0
mysql-client-8.0 mysql-server-core-8.0 mysql-server-8.0 mysql-server
mysql-client mysql-testsuite mysql-testsuite-8.0 mysql-source-8.0 mysql-router
Architecture: source
Version: 8.0.33-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org>
Changed-By: Lena Voytek <lena.voy...@canonical.com>
Description:
libmysqlclient-dev - MySQL database development files
libmysqlclient21 - MySQL database client library
mysql-client - MySQL database client (metapackage depending on the latest
versio
mysql-client-8.0 - MySQL database client binaries
mysql-client-core-8.0 - MySQL database core client binaries
mysql-router - route connections from MySQL clients to MySQL servers
mysql-server - MySQL database server (metapackage depending on the latest
versio
mysql-server-8.0 - MySQL database server binaries and system database setup
mysql-server-core-8.0 - MySQL database server binaries
mysql-source-8.0 - MySQL source
mysql-testsuite - MySQL regression tests
mysql-testsuite-8.0 - MySQL 8.0 testsuite
Closes: 1034719
Launchpad-Bugs-Fixed: 1980466 2019203
Changes:
mysql-8.0 (8.0.33-1) unstable; urgency=medium
.
[ Lena Voytek ]
* Imported upstream version 8.0.33 to fix security issues
- https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixMSQL
- CVE-2023-21982 CVE-2023-21980 CVE-2023-21977 CVE-2023-21976
CVE-2023-21972 CVE-2023-21966 CVE-2023-21962 CVE-2023-21955
CVE-2023-21953 CVE-2023-21947 CVE-2023-21946 CVE-2023-21945
CVE-2023-21940 CVE-2023-21935 CVE-2023-21933 CVE-2023-21929
CVE-2023-21920 CVE-2023-21919 CVE-2023-21911
Upstream release notes:
- https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-33.html
(Closes: #1034719)
* debian/mysql-testsuite-8.0.install: Added new files
* d/p/mysql_secure_installation-remove-root-pw-creation.patch: Fix
mysql_secure_installation by removing root password creation (LP: #1980466)
.
[ Marc Deslauriers ]
* Fix crash on startup on armhf (LP: #2019203)
- debian/patches/revert-be8348a7.patch: revert upstream commit.
* Fix expired date in main.derived_condition_pushdown test
- debian/patches/fix_expired_date_in_test.patch: update expired date.
Checksums-Sha1:
9be30ac4e124ce07a3d27776f87affe9ee4eb223 3380 mysql-8.0_8.0.33-1.dsc
7179c3e3c9c5e5a06cea2ba77645bbd793732f8f 438065679 mysql-8.0_8.0.33.orig.tar.gz
207d990dcd4ed15bdb09b9562a2db2976e05d194 147484
mysql-8.0_8.0.33-1.debian.tar.xz
Checksums-Sha256:
122cad25fb3dfc83a97639b4a21ed4c85183d1ee2b7f6f35045d63931fd571f6 3380
mysql-8.0_8.0.33-1.dsc
ae31e6368617776b43c82436c3736900067fada1289032f3ac3392f7380bcb58 438065679
mysql-8.0_8.0.33.orig.tar.gz
c7fd2d9459bfb023c44e340578f0110e6687affd806d02ca7f7553c3b2e86a79 147484
mysql-8.0_8.0.33-1.debian.tar.xz
Files:
6923f6e6272937f85faa78372262ac8c 3380 database optional mysql-8.0_8.0.33-1.dsc
20ffc71fb8acd705cdc4a8ae4cdedf23 438065679 database optional
mysql-8.0_8.0.33.orig.tar.gz
3012c82763548b7a214e244ebda01715 147484 database optional
mysql-8.0_8.0.33-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJkbd6kAAoJEOVkucJ1vdUuaSIP/3KHFlMLFprUmX3/G0onBFg3
/x7aIZnpDgO5d/6+sWEcvauOF5lRlUYgu8k+JWH9oloE7qR4FxTZxjZ9v7/E1YYg
fXkp8oQQExfgnFV10Zqm9dOsUpgktuR7Ak0CNKCGaoLShGhfjVKm7I2Q63yqS1NP
uYJZP7B3XTCeJuTSGBGHnchajdj7yLONjp1x4t/F3Vjyuv1JQNdtB0XWHqeH557q
RDgCzOvcrw1fIRpN4Q8Bf4QWe3fN63B2KPt9ZAncrRSBDcPShBI0ruG6jYBHUu0Y
HRgV8HlCZH/98z9REivUgepHUMWBkbaADQn9XGfhzrKyCIvm+gm1y97qNIF2q8dh
CUouyIfcwIK1+ihYZWGvaeFapDDt71oOL2rBLq2eZIviGk/A+Ytij+OT29KzXTcj
0OjREpoW37vjA7Fejlk5CCf20YIq9TPQStyfkZrqQbg6mY2ZwN6T22+Ig8uQX35F
OOSV5BPTXFJIjzrSOCHNQAHyP9Gm7A8EOmKYHCORbmDcOtNMFoLB4OfiF7oqYVop
vBn/5Mu9dONa7hdCye44VHKejoiR5EqGv1Maq8vZ6oLNF8dt7SP3i2irv00nnPDN
PM3Wno7dshJs0iBki3eBwG2g01Of3us1HRpM2osgaogkHvYkVpp9yM46vrby+PA7
Dsg+PqC5VIcwFBxnnHox
=iTfE
-----END PGP SIGNATURE-----
--- End Message ---