Your message dated Fri, 18 Oct 2024 07:25:59 -0700
with message-id <[email protected]>
and subject line 1085294 fixed
has caused the Debian Bug report #1085294,
regarding mysql-8.0: CVE-2024-21247 CVE-2024-21241 CVE-2024-21239
CVE-2024-21238 CVE-2024-21237 CVE-2024-21236 CVE-2024-21231 CVE-2024-21230
CVE-2024-21219 CVE-2024-21218 CVE-2024-21213 CVE-2024-21212 CVE-2024-21203
CVE-2024-21201 CVE-2024-21199 CVE-2024-21198 CVE-2024-21197 CVE-2024-21196
CVE-2024-21194 CVE-2024-21193
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1085294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085294
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mysql-8.0
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2024-21247[0]:
| Vulnerability in the MySQL Client product of Oracle MySQL
| (component: Client: mysqldump). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Client. Successful attacks of this vulnerability can result in
| unauthorized update, insert or delete access to some of MySQL Client
| accessible data as well as unauthorized read access to a subset of
| MySQL Client accessible data. CVSS 3.1 Base Score 3.8
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21241[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21239[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21238[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Thread Pooling). Supported versions that are
| affected are 8.0.39 and prior, 8.4.1 and prior and 9.0.1 and prior.
| Difficult to exploit vulnerability allows low privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21237[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Group Replication GCS). Supported versions that
| are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and
| prior. Difficult to exploit vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a partial denial of service
| (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21236[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21231[6]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Client programs). Supported versions that are affected
| are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Difficult to exploit vulnerability allows low privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a partial denial of service (partial
| DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21230[7]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21219[8]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: DML). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21218[9]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21213[10]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with logon
| to the infrastructure where MySQL Server executes to compromise
| MySQL Server. Successful attacks require human interaction from a
| person other than the attacker. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a hang or
| frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
| Base Score 4.2 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).
CVE-2024-21212[11]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Health Monitor). Supported versions that are
| affected are 8.0.39 and prior and 8.4.0. Difficult to exploit
| vulnerability allows high privileged attacker with network access
| via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21203[12]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: FTS). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21201[13]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior.
| Easily exploitable vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL
| Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21199[14]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21198[15]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: DDL). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21197[16]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Information Schema). Supported versions that
| are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result
| in unauthorized ability to cause a hang or frequently repeatable
| crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21196[17]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: X Plugin). Supported versions that are affected
| are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21194[18]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-21193[19]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: PS). Supported versions that are affected are
| 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21247
https://www.cve.org/CVERecord?id=CVE-2024-21247
[1] https://security-tracker.debian.org/tracker/CVE-2024-21241
https://www.cve.org/CVERecord?id=CVE-2024-21241
[2] https://security-tracker.debian.org/tracker/CVE-2024-21239
https://www.cve.org/CVERecord?id=CVE-2024-21239
[3] https://security-tracker.debian.org/tracker/CVE-2024-21238
https://www.cve.org/CVERecord?id=CVE-2024-21238
[4] https://security-tracker.debian.org/tracker/CVE-2024-21237
https://www.cve.org/CVERecord?id=CVE-2024-21237
[5] https://security-tracker.debian.org/tracker/CVE-2024-21236
https://www.cve.org/CVERecord?id=CVE-2024-21236
[6] https://security-tracker.debian.org/tracker/CVE-2024-21231
https://www.cve.org/CVERecord?id=CVE-2024-21231
[7] https://security-tracker.debian.org/tracker/CVE-2024-21230
https://www.cve.org/CVERecord?id=CVE-2024-21230
[8] https://security-tracker.debian.org/tracker/CVE-2024-21219
https://www.cve.org/CVERecord?id=CVE-2024-21219
[9] https://security-tracker.debian.org/tracker/CVE-2024-21218
https://www.cve.org/CVERecord?id=CVE-2024-21218
[10] https://security-tracker.debian.org/tracker/CVE-2024-21213
https://www.cve.org/CVERecord?id=CVE-2024-21213
[11] https://security-tracker.debian.org/tracker/CVE-2024-21212
https://www.cve.org/CVERecord?id=CVE-2024-21212
[12] https://security-tracker.debian.org/tracker/CVE-2024-21203
https://www.cve.org/CVERecord?id=CVE-2024-21203
[13] https://security-tracker.debian.org/tracker/CVE-2024-21201
https://www.cve.org/CVERecord?id=CVE-2024-21201
[14] https://security-tracker.debian.org/tracker/CVE-2024-21199
https://www.cve.org/CVERecord?id=CVE-2024-21199
[15] https://security-tracker.debian.org/tracker/CVE-2024-21198
https://www.cve.org/CVERecord?id=CVE-2024-21198
[16] https://security-tracker.debian.org/tracker/CVE-2024-21197
https://www.cve.org/CVERecord?id=CVE-2024-21197
[17] https://security-tracker.debian.org/tracker/CVE-2024-21196
https://www.cve.org/CVERecord?id=CVE-2024-21196
[18] https://security-tracker.debian.org/tracker/CVE-2024-21194
https://www.cve.org/CVERecord?id=CVE-2024-21194
[19] https://security-tracker.debian.org/tracker/CVE-2024-21193
https://www.cve.org/CVERecord?id=CVE-2024-21193
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Hi,
This issue was fixed by the update to 8.0.40-1
Thanks
--- End Message ---
