SB2017042511 - Debian update for mysql-5.5
Published: April 25, 2017 Updated: November 21, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Use-after-free error (CVE-ID: CVE-2017-3302)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to use-after-free error in the libmysqlclient.so. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
2) Man-in-the-middle attack (CVE-ID: CVE-2017-3305)
The vulnerability allows a remote authenticated attacker to conduct man-in-the-middle attack on the target system.The weakness exists due to checking only after authentication whether server supported SSL. A remote attacker can gain access to potentially sensitive information.
3) Security restrictions bypass (CVE-ID: CVE-2017-3308)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can cause the service to crash.
4) Security restrictions bypass (CVE-ID: CVE-2017-3309)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can cause the service to crash.
5) Improper input validation (CVE-ID: CVE-2017-3329)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists due to improper input validation within the Thread Pooling subcomponent. A remote attacker can send a specially crated MySQL packet to the affected server and cause it to crash.
6) Security restrictions bypass (CVE-ID: CVE-2017-3453)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can cause the service to crash.
7) Security restrictions bypass (CVE-ID: CVE-2017-3456)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can cause the service to crash.
8) Security restrictions bypass (CVE-ID: CVE-2017-3461)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can cause the service to crash.
9) Security restrictions bypass (CVE-ID: CVE-2017-3462)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can cause the service to crash.
10) Security restrictions bypass (CVE-ID: CVE-2017-3463)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can cause the service to crash.
11) Security restrictions bypass (CVE-ID: CVE-2017-3464)
The vulnerability allows a remote authenticated attacker to write arbitrary files on the target system.The weakness exists in MySQL Server due to improper security restrictions. A remote attacker can update, insert or delete some of MySQL Server accessible data.
12) Command injection (CVE-ID: CVE-2017-3600)
The vulnerability allows a remote attacker to execute arbitrary shell or SQL commands on the target system.The weakness exists due to command injection. A remote authenticated attacker can execute arbitrary shell or SQL commands.
Remediation
Install update from vendor's website.