mysql

SUSE Security Update: mysql
Announcement ID: SUSE-SU-2018:1333-1
Rating: moderate
References: #1089987
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11-SP4
  • SUSE Linux Enterprise Server 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

  • An update that fixes 9 vulnerabilities is now available.

    Description:


    This update fixes the following issues:

    - Update to 5.5.60 in Oracle Apr2018 CPU (bsc#1089987).
    - CVE-2018-2761: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Client programs). Supported versions that are
    affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise MySQL Server.
    Successful attacks of this vulnerability can result in unauthorized
    ability to cause a hang or frequently repeatable crash (complete DOS)
    of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
    - CVE-2018-2755: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Server: Replication). Supported versions that are
    affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with logon to the infrastructure where MySQL Server executes to
    compromise MySQL Server. Successful attacks require human interaction
    from a person other than the attacker and while the vulnerability is
    in MySQL Server, attacks may significantly impact additional products.
    Successful attacks of this vulnerability can result in takeover of
    MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and
    Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
    - CVE-2018-2781: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Server: Optimizer). Supported versions that are
    affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
    Easily exploitable vulnerability allows high privileged attacker with
    network access via multiple protocols to compromise MySQL Server.
    Successful attacks of this vulnerability can result in unauthorized
    ability to cause a hang or frequently repeatable crash (complete DOS)
    of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
    - CVE-2018-2819: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: InnoDB). Supported versions that are affected are
    5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily
    exploitable vulnerability allows low privileged attacker with network
    access via multiple protocols to compromise MySQL Server. Successful
    attacks of this vulnerability can result in unauthorized ability to
    cause a hang or frequently repeatable crash (complete DOS) of MySQL
    Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
    - CVE-2018-2818: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Server : Security : Privileges). Supported
    versions that are affected are 5.5.59 and prior, 5.6.39 and prior and
    5.7.21 and prior. Easily exploitable vulnerability allows high
    privileged attacker with network access via multiple protocols to
    compromise MySQL Server. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a hang or frequently
    repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score
    4.9 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
    - CVE-2018-2817: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Server: DDL). Supported versions that are
    affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
    Easily exploitable vulnerability allows low privileged attacker with
    network access via multiple protocols to compromise MySQL Server.
    Successful attacks of this vulnerability can result in unauthorized
    ability to cause a hang or frequently repeatable crash (complete DOS)
    of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
    - CVE-2018-2771: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Server: Locking). Supported versions that are
    affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
    Difficult to exploit vulnerability allows high privileged attacker
    with network access via multiple protocols to compromise MySQL Server.
    Successful attacks of this vulnerability can result in unauthorized
    ability to cause a hang or frequently repeatable crash (complete DOS)
    of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
    - CVE-2018-2813: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Server: DDL). Supported versions that are
    affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
    Easily exploitable vulnerability allows low privileged attacker with
    network access via multiple protocols to compromise MySQL Server.
    Successful attacks of this vulnerability can result in unauthorized
    read access to a subset of MySQL Server accessible data. CVSS 3.0 Base
    Score 4.3 (Confidentiality impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
    - CVE-2018-2773: Vulnerability in the MySQL Server component of Oracle
    MySQL (subcomponent: Client programs). Supported versions that are
    affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior.
    Difficult to exploit vulnerability allows high privileged attacker
    with logon to the infrastructure where MySQL Server executes to
    compromise MySQL Server. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a hang or frequently
    repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score
    4.1 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 11-SP4:
      zypper in -t patch sdksp4-mysql-13611=1
    • SUSE Linux Enterprise Server 11-SP4:
      zypper in -t patch slessp4-mysql-13611=1
    • SUSE Linux Enterprise Debuginfo 11-SP4:
      zypper in -t patch dbgsp4-mysql-13611=1

    Package List:

    • SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64):
      • libmysql55client_r18-32bit-5.5.60-0.39.12.1
    • SUSE Linux Enterprise Software Development Kit 11-SP4 (ia64):
      • libmysql55client_r18-x86-5.5.60-0.39.12.1
    • SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • libmysql55client18-5.5.60-0.39.12.1
      • libmysql55client_r18-5.5.60-0.39.12.1
      • mysql-5.5.60-0.39.12.1
      • mysql-client-5.5.60-0.39.12.1
      • mysql-tools-5.5.60-0.39.12.1
    • SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64):
      • libmysql55client18-32bit-5.5.60-0.39.12.1
      • libmysql55client_r18-32bit-5.5.60-0.39.12.1
    • SUSE Linux Enterprise Server 11-SP4 (ia64):
      • libmysql55client18-x86-5.5.60-0.39.12.1
      • libmysql55client_r18-x86-5.5.60-0.39.12.1
    • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • mysql-debuginfo-5.5.60-0.39.12.1
      • mysql-debugsource-5.5.60-0.39.12.1

    References: