ESB-2017.1801 - [Ubuntu] mysql-server-5.7: Multiple vulnerabilities 2017-07-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1801
                           MySQL vulnerabilities
                               21 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mysql-server-5.7
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Delete Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3653 CVE-2017-3652 CVE-2017-3651
                   CVE-2017-3650 CVE-2017-3649 CVE-2017-3648
                   CVE-2017-3647 CVE-2017-3645 CVE-2017-3644
                   CVE-2017-3643 CVE-2017-3642 CVE-2017-3641
                   CVE-2017-3640 CVE-2017-3639 CVE-2017-3638
                   CVE-2017-3637 CVE-2017-3636 CVE-2017-3635
                   CVE-2017-3634 CVE-2017-3633 CVE-2017-3529

Reference:         ASB-2017.0109

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3357-1

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3357-1
July 20, 2017

mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 17.04
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in MySQL.

Software Description:
- - mysql-5.7: MySQL database
- - mysql-5.5: MySQL database

Details:

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.57 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS
and Ubuntu 17.04 have been updated to MySQL 5.7.19.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-56.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  mysql-server-5.7                5.7.19-0ubuntu0.17.04.1

Ubuntu 16.04 LTS:
  mysql-server-5.7                5.7.19-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  mysql-server-5.5                5.5.57-0ubuntu0.14.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3357-1
  CVE-2017-3529, CVE-2017-3633, CVE-2017-3634, CVE-2017-3635,
  CVE-2017-3636, CVE-2017-3637, CVE-2017-3638, CVE-2017-3639,
  CVE-2017-3640, CVE-2017-3641, CVE-2017-3642, CVE-2017-3643,
  CVE-2017-3644, CVE-2017-3645, CVE-2017-3647, CVE-2017-3648,
  CVE-2017-3649, CVE-2017-3650, CVE-2017-3651, CVE-2017-3652,
  CVE-2017-3653

Package Information:
  https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.19-0ubuntu0.17.04.1
  https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.19-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.57-0ubuntu0.14.04.1

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWXF+AYx+lLeg9Ub1AQiKNBAAkh+VRF7H3t1Bqoakrqli1uVngsiKQmQ4
2sqR5dRn3p3lBPK9QB5HgvlNPBPQEO2e7rbXKm0SNWQl9QQjykKH5hyQ0YkeuPl2
S9x80EKh8mFXGAJSFJWODgqqCAnh9ZSLh4qsWpn6ktrl+pJzB55F2ZbHglI6SXQB
dqvpxgSpo4CQjX8cPJBydSOKoRDhYtrtx1FONT9DW4ta6C6xoXd5yVF3o9Foeth6
kfNf3xZlAdlO0STJoh2Ghb3JTQQHeA/RrVA/nzyohAdiua8RpWobdleVFPLoOWfE
VwY9I6x0S7HIbORGuQzmKHMIITZ/3y/9PRDyI7B1Y9biShai83J22lfyi/kOTRmg
iFg7Eapj3dsO5RyWD25AEpzPvKjowvoPKhGasXevCU7yAkliNGZ4dtj49QGuW0h1
F5VapEOz/LrvgFNQnzuYKB89yq8450cunsCYxT9CEphuHy9rGawIeTEQDzi0xpvn
Ef1Yidpm0sAxkME9K0JkdbVxBX5GK1r2mt8fmgGORvLrKX+scv5+xsBJuXluGrI3
DwZHeZfbrqFtVit3Y/oVwVIKd8tiFwD3HavEKVEL2H+w72oioTlVTqmxIoJOeEY5
AzRsZpKIiBiBFcUAORppIv9SsBZ81aAUEqdH8w03VzlcY02x1GxJeUoarg5t7CWn
pEVsj+vAEgA=
=4It6
-----END PGP SIGNATURE-----

« Back to bulletins