SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com, Oracle
(CentOS Issues Fix) MySQL Multiple Bugs Let Remote Users Access and Modify Data, Remote and Local Users Deny Service, and Local Users Modify Data and Gain Elevated Privileges
SecurityTracker Alert ID:  1037723
SecurityTracker URL:  http://securitytracker.com/id/1037723
CVE Reference:   CVE-2016-5616   (Links to External Site)
Date:  Jan 27 2017
Impact:   Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior
Description:   Multiple vulnerabilities were reported in MySQL. A remote user can access and modify data on the target system. A remote or local user can cause denial of service conditions on the target system. A local user can modify data on the target system. A local user can obtain elevated privileges on the target system.

A local user can exploit a flaw in the Server: Error Handling component to gain elevated privileges [CVE-2016-5617].

A local user can exploit a flaw in the Server: MyISAM component to gain elevated privileges [CVE-2016-5616].

A local user can exploit a flaw in the Server: Packaging component to gain elevated privileges [CVE-2016-5625].

A remote authenticated user can exploit a flaw in the Server: DML component to cause denial of service conditions [CVE-2016-5609, CVE-2016-5612, CVE-2016-5624].

A remote authenticated user can exploit a flaw in the Server: GIS component to cause denial of service conditions [CVE-2016-5626].

A remote authenticated user can exploit a flaw in the Server: InnoDB component to cause denial of service conditions [CVE-2016-5627].

A remote authenticated user can exploit a flaw in the Server: Optimizer component to cause denial of service conditions [CVE-2016-3492].

A remote user can exploit a flaw in the Connector/Python component to partially access data, partially modify data, and partially deny service [CVE-2016-5598].

A local user can exploit a flaw in the Server: Security: Encryption component to access data [CVE-2016-7440].

A remote authenticated user can exploit a flaw in the Server: DML component to cause denial of service conditions [CVE-2016-5628].

A remote authenticated user can exploit a flaw in the Server: Federated component to cause denial of service conditions [CVE-2016-5629].

A remote authenticated user can exploit a flaw in the Server: InnoDB component to cause denial of service conditions [CVE-2016-3495, CVE-2016-5630, CVE-2016-5507].

A remote authenticated user can exploit a flaw in the Server: Memcached component to cause denial of service conditions [CVE-2016-5631].

A remote authenticated user can exploit a flaw in the Server: Optimizer component to cause denial of service conditions [CVE-2016-5632].

A remote authenticated user can exploit a flaw in the Server: Performance Schema component to cause denial of service conditions [CVE-2016-5633].

A remote authenticated user can exploit a flaw in the Server: RBR component to cause denial of service conditions [CVE-2016-5634].

A remote authenticated user can exploit a flaw in the Server: Security: Audit component to cause denial of service conditions [CVE-2016-5635].

A local user can exploit a flaw in the Server: InnoDB component to partially modify data and cause denial of service conditions [CVE-2016-8289].

A remote authenticated user can exploit a flaw in the Server: Replication component to cause denial of service conditions [CVE-2016-8287].

A remote authenticated user can exploit a flaw in the Server: Performance Schema component to cause denial of service conditions [CVE-2016-8290].

A remote authenticated user can exploit a flaw in the Server: Security: Encryption component to access data [CVE-2016-5584].

A remote authenticated user can exploit a flaw in the Server: Types component to cause partial denial of service conditions [CVE-2016-8283].

A remote authenticated user can exploit a flaw in the Server: InnoDB Plugin component to partially modify data [CVE-2016-8288].

A remote authenticated user can exploit a flaw in the Server: Security: Privileges component to partially access data [CVE-2016-8286].

A local user can exploit a flaw in the Server: Replication component to cause partial denial of service conditions [CVE-2016-8284].

The following researchers reported these and other Oracle product vulnerabilities:

Abhishek Singh; Alejo Popovici; Alexander Kornbrust of Red Database Security; Amichai Shulman of Imperva, Inc.; Ariel Walter Garcia; Behzad Najjarpour Jabbari, Secunia Research at Flexera Software; bo13oy of Trend Micro's Zero Day Initiative;
Cezar Santos; David Litchfield of Google; Dawid Golunski; Denis Shpektorov; Devin Rosenbauer of Identity Works LLC; Felix Wilhelm; Hunter Liu of Huawei's IT Infrastructure & Security Dept, BPIT&QM; Jackson Thuraisamy of Security Compass;
Jacob Baines - Tenable Network Security (via Trend Micro's Zero Day Initiative); Jakub Palaczynski of ING Services Polska; John Page (hyp3rlinx); Jordan Milne; Mateusz Guzik; Matias Mevied of Onapsis; Matthias Kaiser of Code White;
Michael Miller of Integrigy; Okan Basegmez of DORASEC Consulting; Pete Finnigan; Peter Moody; Rahmat Nur Fauzi; Reno Robert; Rex Dale Stevens; Sahar Sabban of Intel; Suraj Khetani of Gulf Business Machines; Sven Blumenstein of Google; Tommy DeVoss of Evolution Security; Valentin Dornauer; and Vishnu Padmakumar.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A local user can cause denial of service conditions on the target system.

A remote user can cause denial of service conditions.

A local user can obtain elevated privileges on the target system.

A local user can modify data on the target system.

Solution:   CentOS has issued a fix for CVE-2016-5616.

i386:
90a5007752cc5dc69559fbac5117708c4aacd4ee45dc09ea79d4b86e739f6196 mysql-5.1.73-8.el6_8.i686.rpm
d9fa54a3d70a5d9e5732d22cf2eac1f01b3e78df12cfd2f803488323736081c1 mysql-bench-5.1.73-8.el6_8.i686.rpm
faac0fa3bfcba71701f3c85f1ab96cc0fb2ed27130f2cda55082d459dd960bde mysql-devel-5.1.73-8.el6_8.i686.rpm
e8d0100a1dfe23387f41101b8cd6e458ea0b479e1262f4c06205a4cb25449c7e mysql-embedded-5.1.73-8.el6_8.i686.rpm
cdce7ce86780ddec72435dbf96a336dc2c48166feff6c5bccea2873d58962658 mysql-embedded-devel-5.1.73-8.el6_8.i686.rpm
afa9536c07ca2540d89e33b74299856708c1080de4453ef50ec5654b1d1ae092 mysql-libs-5.1.73-8.el6_8.i686.rpm
bed77f90cc7dab7121d50e594becd0e583182d31df09422545d690f5b7c43629 mysql-server-5.1.73-8.el6_8.i686.rpm
c2dcb64a748bc7fdbc77cb9fbfec0fe99b309d1c3af0fbe87dc25b82a5e74825 mysql-test-5.1.73-8.el6_8.i686.rpm

x86_64:
3086e370dee78dcf420a882c33707369cedc0c16fff25020ef38ddc8dd10a1c2 mysql-5.1.73-8.el6_8.x86_64.rpm
1ec8a72b49e3942de13fa941555970ea979066fda8b30fab7744fa2235f31b33 mysql-bench-5.1.73-8.el6_8.x86_64.rpm
faac0fa3bfcba71701f3c85f1ab96cc0fb2ed27130f2cda55082d459dd960bde mysql-devel-5.1.73-8.el6_8.i686.rpm
ee4cafcc7ad0859a45ff54ca17997a903279732a96d45b0bdad99576f8596f8e mysql-devel-5.1.73-8.el6_8.x86_64.rpm
e8d0100a1dfe23387f41101b8cd6e458ea0b479e1262f4c06205a4cb25449c7e mysql-embedded-5.1.73-8.el6_8.i686.rpm
5dbc5d8e5809e2901d5e8e8b1418750002b83e3406e03ae8d71cfb94127eb243 mysql-embedded-5.1.73-8.el6_8.x86_64.rpm
cdce7ce86780ddec72435dbf96a336dc2c48166feff6c5bccea2873d58962658 mysql-embedded-devel-5.1.73-8.el6_8.i686.rpm
112a82ba493db96e355d00b6f1982e3b1edf91a43049eedc88e616e697c51f0f mysql-embedded-devel-5.1.73-8.el6_8.x86_64.rpm
afa9536c07ca2540d89e33b74299856708c1080de4453ef50ec5654b1d1ae092 mysql-libs-5.1.73-8.el6_8.i686.rpm
eb618e3896815be9548104036c272b9f17f54b8706b52451bcb8e6ddc0a2ed7b mysql-libs-5.1.73-8.el6_8.x86_64.rpm
e903e2e57ff025de587503648680701f99c2162d852c04b6e3660b30087637ed mysql-server-5.1.73-8.el6_8.x86_64.rpm
847d84415d57eb33f505408b9676d59949b8b3d46002ae37dc028d0cc6977945 mysql-test-5.1.73-8.el6_8.x86_64.rpm

Source:
c328e9e7e4d58ccd09d5c40830f71215249a868c2eb80762e993d5d9eb7ee96d mysql-5.1.73-8.el6_8.src.rpm

Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6

Message History:   This archive entry is a follow-up to the message listed below.
Oct 19 2016 MySQL Multiple Bugs Let Remote Users Access and Modify Data, Remote and Local Users Deny Service, and Local Users Modify Data and Gain Elevated Privileges



 Source Message Contents

Subject:  [CentOS-announce] CESA-2017:0184 Important CentOS 6 mysql Security Update


CentOS Errata and Security Advisory 2017:0184 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0184.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
90a5007752cc5dc69559fbac5117708c4aacd4ee45dc09ea79d4b86e739f6196  mysql-5.1.73-8.el6_8.i686.rpm
d9fa54a3d70a5d9e5732d22cf2eac1f01b3e78df12cfd2f803488323736081c1  mysql-bench-5.1.73-8.el6_8.i686.rpm
faac0fa3bfcba71701f3c85f1ab96cc0fb2ed27130f2cda55082d459dd960bde  mysql-devel-5.1.73-8.el6_8.i686.rpm
e8d0100a1dfe23387f41101b8cd6e458ea0b479e1262f4c06205a4cb25449c7e  mysql-embedded-5.1.73-8.el6_8.i686.rpm
cdce7ce86780ddec72435dbf96a336dc2c48166feff6c5bccea2873d58962658  mysql-embedded-devel-5.1.73-8.el6_8.i686.rpm
afa9536c07ca2540d89e33b74299856708c1080de4453ef50ec5654b1d1ae092  mysql-libs-5.1.73-8.el6_8.i686.rpm
bed77f90cc7dab7121d50e594becd0e583182d31df09422545d690f5b7c43629  mysql-server-5.1.73-8.el6_8.i686.rpm
c2dcb64a748bc7fdbc77cb9fbfec0fe99b309d1c3af0fbe87dc25b82a5e74825  mysql-test-5.1.73-8.el6_8.i686.rpm

x86_64:
3086e370dee78dcf420a882c33707369cedc0c16fff25020ef38ddc8dd10a1c2  mysql-5.1.73-8.el6_8.x86_64.rpm
1ec8a72b49e3942de13fa941555970ea979066fda8b30fab7744fa2235f31b33  mysql-bench-5.1.73-8.el6_8.x86_64.rpm
faac0fa3bfcba71701f3c85f1ab96cc0fb2ed27130f2cda55082d459dd960bde  mysql-devel-5.1.73-8.el6_8.i686.rpm
ee4cafcc7ad0859a45ff54ca17997a903279732a96d45b0bdad99576f8596f8e  mysql-devel-5.1.73-8.el6_8.x86_64.rpm
e8d0100a1dfe23387f41101b8cd6e458ea0b479e1262f4c06205a4cb25449c7e  mysql-embedded-5.1.73-8.el6_8.i686.rpm
5dbc5d8e5809e2901d5e8e8b1418750002b83e3406e03ae8d71cfb94127eb243  mysql-embedded-5.1.73-8.el6_8.x86_64.rpm
cdce7ce86780ddec72435dbf96a336dc2c48166feff6c5bccea2873d58962658  mysql-embedded-devel-5.1.73-8.el6_8.i686.rpm
112a82ba493db96e355d00b6f1982e3b1edf91a43049eedc88e616e697c51f0f  mysql-embedded-devel-5.1.73-8.el6_8.x86_64.rpm
afa9536c07ca2540d89e33b74299856708c1080de4453ef50ec5654b1d1ae092  mysql-libs-5.1.73-8.el6_8.i686.rpm
eb618e3896815be9548104036c272b9f17f54b8706b52451bcb8e6ddc0a2ed7b  mysql-libs-5.1.73-8.el6_8.x86_64.rpm
e903e2e57ff025de587503648680701f99c2162d852c04b6e3660b30087637ed  mysql-server-5.1.73-8.el6_8.x86_64.rpm
847d84415d57eb33f505408b9676d59949b8b3d46002ae37dc028d0cc6977945  mysql-test-5.1.73-8.el6_8.x86_64.rpm

Source:
c328e9e7e4d58ccd09d5c40830f71215249a868c2eb80762e993d5d9eb7ee96d  mysql-5.1.73-8.el6_8.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC