Ubuntu
mysql-dfsg-5.0 package

Bug #201009
Comment #0

Comment 0 for bug 201009

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-11:

*** Impact ***
mysql as included in Ubuntu is vulnerable to several CVEs:

CVE-2006-7232 (DoS, small patch)
CVE-2007-2692 (privilege escalation, large patch)
CVE-2007-6303 (privilege escalation)
CVE-2008-0226 (overflow, small patch)
CVE-2008-0227 (DoS, small patch)

CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 are non-intrusive patches and would normally be pushed in a standard security update.

CVE-2007-6303 required an adapted patch for http://bugs.mysql.com/bug.php?id=21080 on dapper and edgy.

CVE-2007-2692 is fixed in Debian, but it is incomplete. To properly fix this CVE, relevant code from these upstream commits had to be adapted and applied:
http://lists.mysql.com/commits/23056 (dapper - feisty)
http://lists.mysql.com/commits/8101 (dapper)

These changes were too extensive to apply without modification, so they were adapted to have minimal, but effective changes.

CVE-2007-6303 and CVE-2007-2692 are both important privilege escalation vulnerabilities and need to be addressed.

*** Development branch ***
These vulnerabilities are fixed in the Hardy. However, MySQL has a lot of changes in their stable 5.0.x series, and backported fixes from a later version to an earlier version can be extensive, as in the case of CVE-2007-6303 and CVE-2007-2692.

Other major distributions either have not fixed CVE-2007-6303 and CVE-2007-2692 or simply performed a MicroVersionUpdate. This option was evaluated several months ago and it was decided that a full MicroVersionUpdate would likely cause too many problems in a stable release, based on upstream release notes from 5.0.22 (dapper) to 5.0.45 (the released version that fixed these vulnerabilities).

*** Regression Testing ***
These patches have undergone testing on i386 and amd64 and do not appear to introduce any regressions. Each patch adds test cases to the internal mysql-test test suite for the issue being fixed, and all expected tests pass (edgy and feisty have a test that fails, but it failed prior to this update). In addition, packages were tested with qa-regression-testing scripts and all pass.

The patches and commits for CVE-2007-6303 and CVE-2007-2692 were verified against upstream changelogs and release notes to not introduce database incompatibilities or regressions on their own.

*** Regression Potential ***
It is believed CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 have little regression potential. CVE-2007-6303 and CVE-2007-2692 have potential for regression as the patches are larger and adapted from various commits. Users of SQL SECURITY INVOKER for stored routines and views with DEFINER values would be the most likely to see regressions.

*** Further Testing ***
Packages will be uploaded to -proposed and an email sent to get more widespread testing. Please report any regressions in the -proposed packages in this bug report.

*** Impact ***
mysql as included in Ubuntu is vulnerable to several CVEs:

CVE-2006-7232 (DoS, small patch)
CVE-2007-2692 (privilege escalation, large patch)
CVE-2007-6303 (privilege escalation)
CVE-2008-0226 (overflow, small patch)
CVE-2008-0227 (DoS, small patch)

CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 are non-intrusive patches and would normally be pushed in a standard security update.

CVE-2007-6303 required an adapted patch for http://bugs.mysql.com/bug.php?id=21080 on dapper and edgy.

These changes were too extensive to apply without modification, so they were adapted to have minimal, but effective changes.

CVE-2007-6303 and CVE-2007-2692 are both important privilege escalation vulnerabilities and need to be addressed.

Other major distributions either have not fixed CVE-2007-6303 and CVE-2007-2692 or simply performed a MicroVersionUpdate.  This option was evaluated several months ago and it was decided that a full MicroVersionUpdate would likely cause too many problems in a stable release, based on upstream release notes from 5.0.22 (dapper) to 5.0.45 (the released version that fixed these vulnerabilities).

*** Regression Testing ***
These patches have undergone testing on i386 and amd64 and do not appear to introduce any regressions.  Each patch adds test cases to the internal mysql-test test suite for the issue being fixed, and all expected tests pass (edgy and feisty have a test that fails, but it failed prior to this update).  In addition, packages were tested with qa-regression-testing scripts and all pass.

The patches and commits for CVE-2007-6303 and CVE-2007-2692 were verified against upstream changelogs and release notes to not introduce database incompatibilities or regressions on their own.

*** Regression Potential ***
It is believed CVE-2006-7232, CVE-2008-0226 and CVE-2008-0227 have little regression potential.  CVE-2007-6303 and CVE-2007-2692 have potential for regression as the patches are larger and adapted from various commits.  Users of SQL SECURITY INVOKER for stored routines and views with DEFINER values would be the most likely to see regressions.

*** Further Testing ***
Packages will be uploaded to -proposed and an email sent to get more widespread testing.  Please report any regressions in the -proposed packages in this bug report.

Ubuntumysql-dfsg-5.0 package

Comment 0 for bug 201009

Ubuntu
mysql-dfsg-5.0 package