Security update for mysql-community-server SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2293-1 Final 1 1 2018-08-09T20:44:38Z current 2018-08-09T20:44:38Z 2018-08-09T20:44:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mysql-community-server This update for mysql-community-server to version 5.6.41 fixes the following issues: Security vulnerabilities fixed: - CVE-2018-3064: Fixed an easily exploitable vulnerability that allowed a low privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. (bsc#1103342) - CVE-2018-3070: Fixed an easily exploitable vulnerability that allowed a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (bsc#1101679) - CVE-2018-0739: Fixed a stack exhaustion in case of recursively constructed ASN.1 types. (boo#1087102) - CVE-2018-3062: Fixed a difficult to exploit vulnerability that allowed low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (bsc#1103344) - CVE-2018-3081: Fixed a difficult to exploit vulnerability that allowed high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. (bsc#1101680) - CVE-2018-3058: Fixed an easily exploitable vulnerability that allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. (bsc#1101676) - CVE-2018-3066: Fixed a difficult to exploit vulnerability allowed high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. (bsc#1101678) - CVE-2018-2767: Fixed a difficult to exploit vulnerability that allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. (boo#1088681) You can find more detailed information about this update in the [release notes](http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-41.html) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html E-Mail link for openSUSE-SU-2018:2293-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libmysql56client18-5.6.41-39.1 libmysql56client18-32bit-5.6.41-39.1 libmysql56client_r18-5.6.41-39.1 libmysql56client_r18-32bit-5.6.41-39.1 mysql-community-server-5.6.41-39.1 mysql-community-server-bench-5.6.41-39.1 mysql-community-server-client-5.6.41-39.1 mysql-community-server-errormessages-5.6.41-39.1 mysql-community-server-test-5.6.41-39.1 mysql-community-server-tools-5.6.41-39.1 libmysql56client18-5.6.41-39.1 as a component of openSUSE Leap 42.3 libmysql56client18-32bit-5.6.41-39.1 as a component of openSUSE Leap 42.3 libmysql56client_r18-5.6.41-39.1 as a component of openSUSE Leap 42.3 libmysql56client_r18-32bit-5.6.41-39.1 as a component of openSUSE Leap 42.3 mysql-community-server-5.6.41-39.1 as a component of openSUSE Leap 42.3 mysql-community-server-bench-5.6.41-39.1 as a component of openSUSE Leap 42.3 mysql-community-server-client-5.6.41-39.1 as a component of openSUSE Leap 42.3 mysql-community-server-errormessages-5.6.41-39.1 as a component of openSUSE Leap 42.3 mysql-community-server-test-5.6.41-39.1 as a component of openSUSE Leap 42.3 mysql-community-server-tools-5.6.41-39.1 as a component of openSUSE Leap 42.3 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). CVE-2018-0739 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-0739.html CVE-2018-0739 https://bugzilla.suse.com/1087102 SUSE Bug 1087102 https://bugzilla.suse.com/1089997 SUSE Bug 1089997 https://bugzilla.suse.com/1108542 SUSE Bug 1108542 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). CVE-2018-2767 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-2767.html CVE-2018-2767 https://bugzilla.suse.com/1088681 SUSE Bug 1088681 https://bugzilla.suse.com/1101675 SUSE Bug 1101675 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). CVE-2018-3058 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-3058.html CVE-2018-3058 https://bugzilla.suse.com/1101676 SUSE Bug 1101676 https://bugzilla.suse.com/1116686 SUSE Bug 1116686 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2018-3062 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-3062.html CVE-2018-3062 https://bugzilla.suse.com/1103344 SUSE Bug 1103344 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). CVE-2018-3064 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-3064.html CVE-2018-3064 https://bugzilla.suse.com/1103342 SUSE Bug 1103342 https://bugzilla.suse.com/1116686 SUSE Bug 1116686 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N). CVE-2018-3066 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-3066.html CVE-2018-3066 https://bugzilla.suse.com/1101678 SUSE Bug 1101678 https://bugzilla.suse.com/1116686 SUSE Bug 1116686 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2018-3070 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-3070.html CVE-2018-3070 https://bugzilla.suse.com/1101679 SUSE Bug 1101679 Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2018-3081 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client18-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.41-39.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.41-39.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.41-39.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00039.html https://www.suse.com/security/cve/CVE-2018-3081.html CVE-2018-3081 https://bugzilla.suse.com/1101680 SUSE Bug 1101680