Bug#1034719: marked as done (mysql-8.0: CVE-2023-21982 CVE-2023-21980 CVE-2023-21977 CVE-2023-21976 CVE-2023-21972 CVE-2023-21966 CVE-2023-21962 CVE-2023-21955 CVE-2023-21953 CVE-2023-21947 CVE-2023-21946 CVE-2023-21945 CVE-2023-21940 CVE-2023-21935 CVE-2023-21933 CVE-2023-21929 CVE-2023-21920 CVE-2023-21919 CVE-2023-21911)

Debian Bug Tracking System Wed, 24 May 2023 03:27:29 -0700

Your message dated Wed, 24 May 2023 10:24:44 +0000
with message-id <e1q1lfg-00ewgk...@fasolo.debian.org>
and subject line Bug#1034719: fixed in mysql-8.0 8.0.33-1
has caused the Debian Bug report #1034719,
regarding mysql-8.0: CVE-2023-21982 CVE-2023-21980 CVE-2023-21977 
CVE-2023-21976 CVE-2023-21972 CVE-2023-21966 CVE-2023-21962 CVE-2023-21955 
CVE-2023-21953 CVE-2023-21947 CVE-2023-21946 CVE-2023-21945 CVE-2023-21940 
CVE-2023-21935 CVE-2023-21933 CVE-2023-21929 CVE-2023-21920 CVE-2023-21919 
CVE-2023-21911
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034719
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: mysql-8.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for mysql-8.0.

CVE-2023-21982[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21980[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Client programs). Supported versions that are affected are 5.7.41 and
| prior and 8.0.32 and prior. Difficult to exploit vulnerability allows
| low privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks require human interaction
| from a person other than the attacker. Successful attacks of this
| vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base
| Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).


CVE-2023-21977[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21976[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21972[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DML). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21966[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: JSON). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21962[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Components Services). Supported versions that are affected are
| 8.0.32 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21955[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Partition). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21953[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Partition). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21947[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Components Services). Supported versions that are affected are
| 8.0.32 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21946[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21945[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21940[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Components Services). Supported versions that are affected are
| 8.0.32 and prior. Difficult to exploit vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score
| 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21935[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21933[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DDL). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21929[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DDL). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server as well as unauthorized update, insert
| or delete access to some of MySQL Server accessible data. CVSS 3.1
| Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).


CVE-2023-21920[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Optimizer). Supported versions that are affected are 8.0.32
| and prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21919[17]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: DDL). Supported versions that are affected are 8.0.32 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21911[18]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 8.0.32 and prior.
| Easily exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-21982
    https://www.cve.org/CVERecord?id=CVE-2023-21982
[1] https://security-tracker.debian.org/tracker/CVE-2023-21980
    https://www.cve.org/CVERecord?id=CVE-2023-21980
[2] https://security-tracker.debian.org/tracker/CVE-2023-21977
    https://www.cve.org/CVERecord?id=CVE-2023-21977
[3] https://security-tracker.debian.org/tracker/CVE-2023-21976
    https://www.cve.org/CVERecord?id=CVE-2023-21976
[4] https://security-tracker.debian.org/tracker/CVE-2023-21972
    https://www.cve.org/CVERecord?id=CVE-2023-21972
[5] https://security-tracker.debian.org/tracker/CVE-2023-21966
    https://www.cve.org/CVERecord?id=CVE-2023-21966
[6] https://security-tracker.debian.org/tracker/CVE-2023-21962
    https://www.cve.org/CVERecord?id=CVE-2023-21962
[7] https://security-tracker.debian.org/tracker/CVE-2023-21955
    https://www.cve.org/CVERecord?id=CVE-2023-21955
[8] https://security-tracker.debian.org/tracker/CVE-2023-21953
    https://www.cve.org/CVERecord?id=CVE-2023-21953
[9] https://security-tracker.debian.org/tracker/CVE-2023-21947
    https://www.cve.org/CVERecord?id=CVE-2023-21947
[10] https://security-tracker.debian.org/tracker/CVE-2023-21946
    https://www.cve.org/CVERecord?id=CVE-2023-21946
[11] https://security-tracker.debian.org/tracker/CVE-2023-21945
    https://www.cve.org/CVERecord?id=CVE-2023-21945
[12] https://security-tracker.debian.org/tracker/CVE-2023-21940
    https://www.cve.org/CVERecord?id=CVE-2023-21940
[13] https://security-tracker.debian.org/tracker/CVE-2023-21935
    https://www.cve.org/CVERecord?id=CVE-2023-21935
[14] https://security-tracker.debian.org/tracker/CVE-2023-21933
    https://www.cve.org/CVERecord?id=CVE-2023-21933
[15] https://security-tracker.debian.org/tracker/CVE-2023-21929
    https://www.cve.org/CVERecord?id=CVE-2023-21929
[16] https://security-tracker.debian.org/tracker/CVE-2023-21920
    https://www.cve.org/CVERecord?id=CVE-2023-21920
[17] https://security-tracker.debian.org/tracker/CVE-2023-21919
    https://www.cve.org/CVERecord?id=CVE-2023-21919
[18] https://security-tracker.debian.org/tracker/CVE-2023-21911
    https://www.cve.org/CVERecord?id=CVE-2023-21911

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: mysql-8.0
Source-Version: 8.0.33-1
Done: Lena Voytek <lena.voy...@canonical.com>

We believe that the bug you reported is fixed in the latest version of
mysql-8.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lena Voytek <lena.voy...@canonical.com> (supplier of updated mysql-8.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 16 May 2023 16:10:59 -0700
Source: mysql-8.0
Binary: libmysqlclient21 libmysqlclient-dev mysql-client-core-8.0 
mysql-client-8.0 mysql-server-core-8.0 mysql-server-8.0 mysql-server 
mysql-client mysql-testsuite mysql-testsuite-8.0 mysql-source-8.0 mysql-router
Architecture: source
Version: 8.0.33-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org>
Changed-By: Lena Voytek <lena.voy...@canonical.com>
Description:
 libmysqlclient-dev - MySQL database development files
 libmysqlclient21 - MySQL database client library
 mysql-client - MySQL database client (metapackage depending on the latest 
versio
 mysql-client-8.0 - MySQL database client binaries
 mysql-client-core-8.0 - MySQL database core client binaries
 mysql-router - route connections from MySQL clients to MySQL servers
 mysql-server - MySQL database server (metapackage depending on the latest 
versio
 mysql-server-8.0 - MySQL database server binaries and system database setup
 mysql-server-core-8.0 - MySQL database server binaries
 mysql-source-8.0 - MySQL source
 mysql-testsuite - MySQL regression tests
 mysql-testsuite-8.0 - MySQL 8.0 testsuite
Closes: 1034719
Launchpad-Bugs-Fixed: 1980466 2019203
Changes:
 mysql-8.0 (8.0.33-1) unstable; urgency=medium
 .
   [ Lena Voytek ]
   * Imported upstream version 8.0.33 to fix security issues
     - https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixMSQL
     - CVE-2023-21982 CVE-2023-21980 CVE-2023-21977 CVE-2023-21976
       CVE-2023-21972 CVE-2023-21966 CVE-2023-21962 CVE-2023-21955
       CVE-2023-21953 CVE-2023-21947 CVE-2023-21946 CVE-2023-21945
       CVE-2023-21940 CVE-2023-21935 CVE-2023-21933 CVE-2023-21929
       CVE-2023-21920 CVE-2023-21919 CVE-2023-21911
     Upstream release notes:
     - https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-33.html
     (Closes: #1034719)
   * debian/mysql-testsuite-8.0.install: Added new files
   * d/p/mysql_secure_installation-remove-root-pw-creation.patch: Fix
     mysql_secure_installation by removing root password creation (LP: #1980466)
 .
   [ Marc Deslauriers ]
   * Fix crash on startup on armhf (LP: #2019203)
     - debian/patches/revert-be8348a7.patch: revert upstream commit.
   * Fix expired date in main.derived_condition_pushdown test
     - debian/patches/fix_expired_date_in_test.patch: update expired date.
Checksums-Sha1:
 9be30ac4e124ce07a3d27776f87affe9ee4eb223 3380 mysql-8.0_8.0.33-1.dsc
 7179c3e3c9c5e5a06cea2ba77645bbd793732f8f 438065679 mysql-8.0_8.0.33.orig.tar.gz
 207d990dcd4ed15bdb09b9562a2db2976e05d194 147484 
mysql-8.0_8.0.33-1.debian.tar.xz
Checksums-Sha256:
 122cad25fb3dfc83a97639b4a21ed4c85183d1ee2b7f6f35045d63931fd571f6 3380 
mysql-8.0_8.0.33-1.dsc
 ae31e6368617776b43c82436c3736900067fada1289032f3ac3392f7380bcb58 438065679 
mysql-8.0_8.0.33.orig.tar.gz
 c7fd2d9459bfb023c44e340578f0110e6687affd806d02ca7f7553c3b2e86a79 147484 
mysql-8.0_8.0.33-1.debian.tar.xz
Files:
 6923f6e6272937f85faa78372262ac8c 3380 database optional mysql-8.0_8.0.33-1.dsc
 20ffc71fb8acd705cdc4a8ae4cdedf23 438065679 database optional 
mysql-8.0_8.0.33.orig.tar.gz
 3012c82763548b7a214e244ebda01715 147484 database optional 
mysql-8.0_8.0.33-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJkbd6kAAoJEOVkucJ1vdUuaSIP/3KHFlMLFprUmX3/G0onBFg3
/x7aIZnpDgO5d/6+sWEcvauOF5lRlUYgu8k+JWH9oloE7qR4FxTZxjZ9v7/E1YYg
fXkp8oQQExfgnFV10Zqm9dOsUpgktuR7Ak0CNKCGaoLShGhfjVKm7I2Q63yqS1NP
uYJZP7B3XTCeJuTSGBGHnchajdj7yLONjp1x4t/F3Vjyuv1JQNdtB0XWHqeH557q
RDgCzOvcrw1fIRpN4Q8Bf4QWe3fN63B2KPt9ZAncrRSBDcPShBI0ruG6jYBHUu0Y
HRgV8HlCZH/98z9REivUgepHUMWBkbaADQn9XGfhzrKyCIvm+gm1y97qNIF2q8dh
CUouyIfcwIK1+ihYZWGvaeFapDDt71oOL2rBLq2eZIviGk/A+Ytij+OT29KzXTcj
0OjREpoW37vjA7Fejlk5CCf20YIq9TPQStyfkZrqQbg6mY2ZwN6T22+Ig8uQX35F
OOSV5BPTXFJIjzrSOCHNQAHyP9Gm7A8EOmKYHCORbmDcOtNMFoLB4OfiF7oqYVop
vBn/5Mu9dONa7hdCye44VHKejoiR5EqGv1Maq8vZ6oLNF8dt7SP3i2irv00nnPDN
PM3Wno7dshJs0iBki3eBwG2g01Of3us1HRpM2osgaogkHvYkVpp9yM46vrby+PA7
Dsg+PqC5VIcwFBxnnHox
=iTfE
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to