Ubuntu
mysql-5.5 package

mysql 5.5.24, 5.1.63, 5.0.x security update tracking bug

  1. Hardy (8.04)
  2. Bug #1011371
Bug #1011371 reported by Marc Deslauriers
300
This bug affects 5 people
Affects Status Importance Assigned to Milestone
mysql-5.1 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Natty
Fix Released
High
Marc Deslauriers
Oneiric
Fix Released
High
Marc Deslauriers
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
mysql-5.5 (Ubuntu)
Fix Released
High
Clint Byrum
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Fix Released
High
Marc Deslauriers
Quantal
Fix Released
High
Clint Byrum
mysql-dfsg-5.0 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
High
Marc Deslauriers
Lucid
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
mysql-dfsg-5.1 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Fix Released
High
Marc Deslauriers
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned

Bug Description

5.5.24:
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html

Security Fix: Bug #64884 was fixed.

5.1.63:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
Security Fix: Bug #64884 was fixed.
Security Fix: Bug #59387 was fixed.

5.0.x:
Most likely also affected by #64884, but no longer supported by Oracle, needs a backported patch.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

bug #64884 is CVE-2012-2122

visibility: private → public
Changed in mysql-dfsg-5.0 (Ubuntu Hardy):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
status: New → Confirmed
Changed in mysql-dfsg-5.0 (Ubuntu Lucid):
status: New → Invalid
Changed in mysql-dfsg-5.0 (Ubuntu Natty):
status: New → Invalid
Changed in mysql-dfsg-5.0 (Ubuntu Oneiric):
status: New → Invalid
Changed in mysql-dfsg-5.0 (Ubuntu Precise):
status: New → Invalid
Changed in mysql-dfsg-5.0 (Ubuntu Quantal):
status: New → Invalid
Changed in mysql-dfsg-5.1 (Ubuntu Hardy):
status: New → Invalid
Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in mysql-dfsg-5.1 (Ubuntu Natty):
status: New → Invalid
Changed in mysql-dfsg-5.1 (Ubuntu Oneiric):
status: New → Invalid
Changed in mysql-dfsg-5.1 (Ubuntu Precise):
status: New → Invalid
Changed in mysql-dfsg-5.1 (Ubuntu Quantal):
status: New → Invalid
Changed in mysql-5.5 (Ubuntu Hardy):
status: New → Invalid
Changed in mysql-5.5 (Ubuntu Lucid):
status: New → Invalid
Changed in mysql-5.5 (Ubuntu Natty):
status: New → Invalid
Changed in mysql-5.5 (Ubuntu Oneiric):
status: New → Invalid
Changed in mysql-5.5 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
status: New → Confirmed
Changed in mysql-5.5 (Ubuntu Quantal):
assignee: nobody → Clint Byrum (clint-fewbar)
importance: Undecided → High
status: New → Confirmed
Changed in mysql-5.1 (Ubuntu Hardy):
status: New → Invalid
Changed in mysql-5.1 (Ubuntu Lucid):
status: New → Invalid
Changed in mysql-5.1 (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
status: New → Confirmed
Changed in mysql-5.1 (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in mysql-5.1 (Ubuntu Precise):
status: New → Invalid
Changed in mysql-5.1 (Ubuntu Quantal):
status: New → Invalid
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

FYI, I can only reproduce CVE-2012-2122 on real hardware that supports SSE4. Oneiric and higher, amd64 only.

Revision history for this message
sseitz (s-seitz) wrote :

Regarding #2:
You're right. I've tried on identical 12.04 LTS 64bit.
Vulnurable on Xeon E5654
Not vulnurable on Xeon E5345
Both machines are paravirtualizes Xen DomU, so it looks like the system is vulnurable by the availability of sse4 only. It looks like the existence of Xen virtualizationlayer doesn't matter.

Revision history for this message
Antono Vasiljev (antono) wrote :

12.04 http://shelr.tv/records/4fd6173a9660804894000018

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.0 - 5.0.96-0ubuntu3

---------------
mysql-dfsg-5.0 (5.0.96-0ubuntu3) hardy-security; urgency=low

  * SECURITY UPDATE: authentication bypass (LP: #1011371)
    - debian/patches/90_CVE-2012-2122.patch: fix improper type conversion
      in sql/password.c.
    - CVE-2012-2122
  * debian/mysql-server.preinst: Removed to prevent service from remaining
    stopped after getting updated. The upgrade logic is still present in
    mysql-common.preinst. (LP: #988325)
 -- Marc Deslauriers <email address hidden> Mon, 11 Jun 2012 09:04:56 -0400

Changed in mysql-dfsg-5.0 (Ubuntu Hardy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.24-0ubuntu0.12.04.1

---------------
mysql-5.5 (5.5.24-0ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.24 to fix security issues (LP: #1011371)
    - http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
 -- Marc Deslauriers <email address hidden> Mon, 11 Jun 2012 07:34:33 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.1 - 5.1.63-0ubuntu0.11.10.1

---------------
mysql-5.1 (5.1.63-0ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Update to 5.1.63 to fix security issues (LP: #1011371)
    - http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
 -- Marc Deslauriers <email address hidden> Sun, 10 Jun 2012 20:49:35 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.1 - 5.1.63-0ubuntu0.11.04.1

---------------
mysql-5.1 (5.1.63-0ubuntu0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: Update to 5.1.63 to fix security issues (LP: #1011371)
    - http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
 -- Marc Deslauriers <email address hidden> Mon, 11 Jun 2012 07:25:44 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.63-0ubuntu0.10.04.1

---------------
mysql-dfsg-5.1 (5.1.63-0ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: Update to 5.1.63 to fix security issues (LP: #1011371)
    - http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
 -- Marc Deslauriers <email address hidden> Mon, 11 Jun 2012 07:27:41 -0400

Changed in mysql-5.1 (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in mysql-5.1 (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in mysql-5.5 (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.25-0ubuntu1

---------------
mysql-5.5 (5.5.25-0ubuntu1) quantal; urgency=low

  * New upstream release (LP: #1011371, LP: #986892)
  * d/rules: change get-orig-source to pull from a working mirror.
  * d/control: Build with default compiler instead of gcc 4.5
 -- Clint Byrum <email address hidden> Mon, 11 Jun 2012 23:34:14 -0700

Changed in mysql-5.5 (Ubuntu Quantal):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.