Tech Talk

[MySQL v5.1.47 update available]

FYI...

MySQL v5.1.47 update available
- http://www.mysql.com/downloads/mysql/

Changes in MySQL 5.1.47
- http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

- http://secunia.com/advisories/39792/
Last Update: 2010-05-21
Criticality level: Moderately critical
Impact: Security Bypass, DoS, System access
Where: From local network
Software: MySQL 5.x
CVE Reference(s): CVE-2010-1848, CVE-2010-1849, CVE-2010-1850
...The vulnerabilities are reported in versions prior to 5.1.47.
Solution: Update to version 5.1.47.

 

[MySQL v5.1.49 released]

FYI...

MySQL v5.1.49 released
- http://www.securityfocus.com/bid/41198/info
Updated: Aug 20 2010 06:03PM

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2008
Last revised: 08/21/2010

- http://dev.mysql.com/downloads/mysql/

Changes in Release 5.1.x (Production)
- http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html

- http://secunia.com/advisories/41048/
Release Date: 2010-08-24
Impact: Unknown, DoS
Where: From local network
Solution Status: Vendor Patch
Software: MySQL 5.x ...
Solution: Update to version 5.1.49...
Original Advisory: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-49.html

Current version is MySQL 5.1.50 (03 August 2010)  
- http://dev.mysql.com/doc/refman/5.1/en/news-5-1-50.html

- http://securitytracker.com/alerts/2010/Aug/1024360.html
Aug 25 2010

 

[MySQL v5.1.51 released]

FYI...

MySQL v5.1.51 released
- http://secunia.com/advisories/41716/
Release Date: 2010-10-04
Impact: Privilege escalation, DoS
Where: From local network
... reported in versions prior to 5.1.51.
Solution: Update to version 5.1.51.
Original Advisory:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-50.html
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-51.html

 

[MySQL v5.1.52 released]

FYI...

MySQL v5.1.52 released
- http://secunia.com/advisories/42097/
Last Update: 2010-11-05
Impact: DoS
Where: From local network ...
... The vulnerabilities are reported in versions prior to 5.1.52.
Solution: Update to version 5.1.52.
Original Advisory: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-52.html
http://bugs.mysql.com/bug.php?id=54488
http://bugs.mysql.com/bug.php?id=54494
http://bugs.mysql.com/bug.php?id=55531

 

[MySQL v5.1.63, 5.5.25 released]

FYI...

MySQL v5.1.63, 5.5.25 released
- https://secunia.com/advisories/49409/
Release Date: 2012-06-11
Criticality level: Moderately critical
Impact: Unknown, Security Bypass
Where: From local network
CVE Reference: CVE-2012-2122
... vulnerability is reported in versions prior to 5.1.63.
Solution: Update to version 5.1.63 or 5.5.25.
Original Advisory
https://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
https://dev.mysql.com/doc/refman/5.5/en/news-5-5-25.html ...

> http://h-online.com/-1614990
11 June 2012 - "Exploits for a recently revealed MySQL authentication bypass flaw are now in the wild...  there was now a Metasploit module which used the vulnerability to retrieve all the server's passwords."
___

CVE-2012-2122 ...
- https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
Jun 11, 2012 - "... If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the "bind-address" parameter to "127.0.0.1". Restart the MySQL service to apply this setting..."

 

[0-day vulns in MySQL fixed by MariaDB]

FYI...

See: http://boards.cexx.org/index.php?topic=19191.0
... and: https://secunia.com/advisories/51894/
Release Date: 2013-01-16
> http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixMSQL
___

0-day vulns in MySQL fixed by MariaDB
- http://h-online.com/-1761451
3 Dec 2012 - "A recently published security vulnerability in the MySQL open source database has been met with fixes by the developers of the open source MariaDB* fork... they also note that a supposed zero day vulnerability that enumerates MySQL users has been known about for ten years. MariaDB versions 5.1, 5.2, 5.3 and 5.5, in which CVE 2012-5579 is fixed, are available for download*. MySQL provider Oracle has yet to confirm the vulnerabilities, much less provide updated software."
* http://downloads.mariadb.org/
___

- https://secunia.com/advisories/51427/
Release Date: 2012-12-03
... may be related to vulnerability #1: https://secunia.com/SA51008/
CVE Reference(s): CVE-2012-5611, CVE-2012-5612, CVE-2012-5614, CVE-2012-5615
Impact: Brute force, DoS, System access
Where: From local network
Software: MySQL 5.x
Solution: No official solution is currently available...
___

- http://blog.trendmicro.com/trendlabs-security-intelligence/multiple-zero-day-poc-exploits-threaten-oracle-mysql-server/
Dec 6, 2012 - "... MySQL Database is famous for its high performance, high reliability and ease of use. It runs on both Windows and many non-Windows platforms like UNIX, Mac OS, Solaris, IBM AIX, etc. It has been the fastest growing application and the choice of big companies such as Facebook, Google, and Adobe among others. Given its popularity, cybercriminals and other attackers are definitely eyeing this platform..."