Hi, I was asked about security vulnerabilities from the latest Oracle's CPU: http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html#Ap... So, here is, as a summary, what I think these "unspecified vulnerabilies used via unknown attack vectors" really are. Sometimes it wasn't obvious what changeset fixes a particular CVE bug. And in some cases I would've described the bug differenly, not how CVE entry does it. So, again, this is *my opinion* about how they map to the code changes, and I might be wrong here. Regards, Sergei ==================================== CVE-2012-3144 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/jon.hauglid@ora... Revno: 3894 Author: Jon Olav Hauglid <jon.hauglid@oracle.com> Date: Tue 2012-07-10 16:13:02 +0200 Bug#12623923 Server can crash after failure to create primary key with innodb tables CVE-2012-3147 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote attackers to affect integrity and availability, related to MySQL Client. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/georgi.kodinov@... Revno: 3885.1.2 Author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> Date: Fri 2012-06-29 14:04:24 +0300 Bug #12910665: AUTH-PLUGIN-DATA-LEN NOT TESTED FOR VALIDITY BY THE CLIENT CVE-2012-3149 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.26 and earlier allows remote authenticated users to affect confidentiality, related to MySQL Client. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/georgi.kodinov@... Revno: 3884 Author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> Date: Thu 2012-07-05 09:55:20 +0300 Bug #12998841: libmysql divulges plaintext password upon request in 5.5 CVE-2012-3150 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/norvald.ryeng@o... Revno: 3757.1.1 Author: Norvald H. Ryeng <norvald.ryeng@oracle.com> Date: Mon 2012-06-18 09:20:12 +0200 Bug#13003736 CRASH IN ITEM_REF::WALK WITH SUBQUERIES CVE-2012-3156 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/tor.didriksen@o... Revno: 3840 Author: Tor Didriksen <tor.didriksen@oracle.com> Date: Mon 2012-05-21 10:47:12 +0200 Bug#13986705 CRASH IN GET_INTERVAL_VALUE() WITH DATE CALCULATION WITH UTF32 INTERVALS CVE-2012-3158 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Protocol. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/georgi.kodinov@... Revno: 3762 Author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> Date: Thu 2012-06-28 18:38:55 +0300 Bug #13708485: malformed resultset packet crashes client CVE-2012-3160 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows local users to affect confidentiality via unknown vectors related to Server Installation. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/nirbhay.choubey... Revno: 3780 Author: Nirbhay Choubey <nirbhay.choubey@oracle.com> Date: Thu 2012-07-26 21:47:03 +0530 Bug#13741677 MYSQL_SECURE_INSTALLATION DOES NOT WORK + SAVES ROOT PASSWORD TO DISK! The secure installation scripts connect to the server by storing the password in a temporary option file. Now, if the script gets killed or fails for some reason, the removal of the option file may not take place. CVE-2012-3163 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/georgi.kodinov@... Revno: 3764.1.1 Author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> Date: Thu 2012-07-05 13:41:16 +0300 Bug #13889741: HANDLE_FATAL_SIGNAL IN _DB_ENTER_ | HANDLE_FATAL_SIGNAL IN STRNLEN Fixed the following bounds checking problems : 1. in check_if_legal_filename() make sure the null terminated string is long enough before accessing the bytes in it. Prevents pottential read-past-buffer-end 2. in my_wc_mb_filename() of the filename charset check for the end of the destination buffer before sending single byte characters into it. Prevents write-past-end-of-buffer (and garbaling stack in the cases reported here) errors. CVE-2012-3166 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/yasufumi.kinosh... Revno: 3730 Author: Yasufumi Kinoshita <yasufumi.kinoshita@oracle.com> Date: Fri 2012-04-27 19:38:13 +0900 Bug#11758510 (#50723): INNODB CHECK TABLE FATAL SEMAPHORE WAIT TIMEOUT POSSIBLY TOO SHORT FOR BI CVE-2012-3167 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Full Text Search. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/venkata.sidagam... Revno: 3739 Author: Venkata Sidagam <venkata.sidagam@oracle.com> Date: Wed 2012-05-16 16:14:27 +0530 Bug #13955256: KEYCACHE CRASHES, CORRUPTIONS/HANGS WITH, FULLTEXT INDEX AND CONCURRENT DML. Problem Statement: ------------------ 1) Create a table with FT index. 2) Enable concurrent inserts. 3) In multiple threads do below operations repeatedly a) truncate table b) insert into table .... c) select ... match .. against .. non-boolean/boolean mode CVE-2012-3173 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.63 and earlier, and 5.5.25 and earlier, allows remote authenticated users to affect availability via unknown vectors related to InnoDB Plugin. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/annamalai.gurus... Revno: 3740 Author: Annamalai Gurusami <annamalai.gurusami@oracle.com> Date: Wed 2012-05-16 16:36:49 +0530 Bug #13943231: ALTER TABLE AFTER DISCARD MAY CRASH THE SERVER The following scenario crashes our mysql server: 1. set global innodb_file_per_table=1; 2. create table t1(c1 int) engine=innodb; 3. alter table t1 discard tablespace; 4. alter table t1 add unique index(c1); CVE-2012-3177 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/chaithra.gopala... Revno: 3786 Author: Chaithra Gopalareddy <chaithra.gopalareddy@oracle.com> Date: Sun 2012-08-05 16:29:28 +0530 Bug #14099846: EXPORT_SET CRASHES DUE TO OVERALLOCATION OF MEMORY Backport the fix from 5.6 to 5.1 Base bug number : 11765562 or http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/tor.didriksen@o... Revno: 3784 Author: Tor Didriksen <tor.didriksen@oracle.com> Date: Fri 2012-07-27 09:13:10 +0200 Bug#14111180 HANDLE_FATAL_SIGNAL IN PTR_COMPARE_1 / QUEUE_INSERT CVE-2012-3180 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.65 and earlier, and 5.5.27 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/sergey.glukhov@... Revno: 3792 Author: Sergey Glukhov <sergey.glukhov@oracle.com> Date: Thu 2012-08-09 15:34:52 +0400 Bug #14409015 MEMORY LEAK WHEN REFERENCING OUTER FIELD IN HAVING When resolving outer fields, Item_field::fix_outer_fields() creates new Item_refs for each execution of a prepared statement, so these must be allocated in the runtime memroot. The memroot switching before resolving JOIN::having causes these to be allocated in the statement root, leaking memory for each PS execution. CVE-2012-3197 ^^^^^^^^^^^^^ Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Replication. http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/nuno.carvalho@o... Revno: 3725.1.1 Author: Nuno Carvalho <nuno.carvalho@oracle.com> Date: Fri 2012-04-20 22:25:59 +0100 BUG#13979418: SHOW BINLOG EVENTS MAY CRASH THE SERVER