Security update for mysql-community-server SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0138-1 Final 1 1 2019-02-05T09:16:15Z current 2019-02-05T09:16:15Z 2019-02-05T09:16:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mysql-community-server This update for mysql-community-server to version 5.6.43 fixes the following issues: Security issues fixed: - CVE-2019-2534, CVE-2019-2529, CVE-2019-2482, CVE-2019-2455, CVE-2019-2503, CVE-2019-2537, CVE-2019-2481, CVE-2019-2507, CVE-2019-2531, CVE-2018-0734 (boo#1113652, boo#1122198) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html E-Mail link for openSUSE-SU-2019:0138-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libmysql56client18-5.6.43-45.1 libmysql56client18-32bit-5.6.43-45.1 libmysql56client_r18-5.6.43-45.1 libmysql56client_r18-32bit-5.6.43-45.1 mysql-community-server-5.6.43-45.1 mysql-community-server-bench-5.6.43-45.1 mysql-community-server-client-5.6.43-45.1 mysql-community-server-errormessages-5.6.43-45.1 mysql-community-server-test-5.6.43-45.1 mysql-community-server-tools-5.6.43-45.1 libmysql56client18-5.6.43-45.1 as a component of openSUSE Leap 42.3 libmysql56client18-32bit-5.6.43-45.1 as a component of openSUSE Leap 42.3 libmysql56client_r18-5.6.43-45.1 as a component of openSUSE Leap 42.3 libmysql56client_r18-32bit-5.6.43-45.1 as a component of openSUSE Leap 42.3 mysql-community-server-5.6.43-45.1 as a component of openSUSE Leap 42.3 mysql-community-server-bench-5.6.43-45.1 as a component of openSUSE Leap 42.3 mysql-community-server-client-5.6.43-45.1 as a component of openSUSE Leap 42.3 mysql-community-server-errormessages-5.6.43-45.1 as a component of openSUSE Leap 42.3 mysql-community-server-test-5.6.43-45.1 as a component of openSUSE Leap 42.3 mysql-community-server-tools-5.6.43-45.1 as a component of openSUSE Leap 42.3 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVE-2018-0734 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2018-0734.html CVE-2018-0734 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1113652 SUSE Bug 1113652 https://bugzilla.suse.com/1113742 SUSE Bug 1113742 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 https://bugzilla.suse.com/1122212 SUSE Bug 1122212 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2455 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2455.html CVE-2019-2455 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2481 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2481.html CVE-2019-2481 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: PS). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2482 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2482.html CVE-2019-2482 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H). CVE-2019-2503 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2503.html CVE-2019-2503 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2507 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2507.html CVE-2019-2507 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2529 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2529.html CVE-2019-2529 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 https://bugzilla.suse.com/1136037 SUSE Bug 1136037 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2531 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2531.html CVE-2019-2531 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). CVE-2019-2534 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2534.html CVE-2019-2534 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2537 openSUSE Leap 42.3:libmysql56client18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client18-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-32bit-5.6.43-45.1 openSUSE Leap 42.3:libmysql56client_r18-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-bench-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-client-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-errormessages-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-test-5.6.43-45.1 openSUSE Leap 42.3:mysql-community-server-tools-5.6.43-45.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00005.html https://www.suse.com/security/cve/CVE-2019-2537.html CVE-2019-2537 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 https://bugzilla.suse.com/1136037 SUSE Bug 1136037