ESB-2018.1261 - [Ubuntu] mysql-server-5.7: Multiple vulnerabilities 2018-04-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1261
                           MySQL vulnerabilities
                               26 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mysql-server-5.7
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-2846 CVE-2018-2839 CVE-2018-2819
                   CVE-2018-2818 CVE-2018-2817 CVE-2018-2816
                   CVE-2018-2813 CVE-2018-2812 CVE-2018-2810
                   CVE-2018-2787 CVE-2018-2786 CVE-2018-2784
                   CVE-2018-2782 CVE-2018-2781 CVE-2018-2780
                   CVE-2018-2779 CVE-2018-2778 CVE-2018-2777
                   CVE-2018-2776 CVE-2018-2775 CVE-2018-2773
                   CVE-2018-2771 CVE-2018-2769 CVE-2018-2766
                   CVE-2018-2762 CVE-2018-2761 CVE-2018-2759
                   CVE-2018-2758 CVE-2018-2755 

Reference:         ASB-2018.0087
                   ESB-2018.1241
                   ESB-2018.1227

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3629-1

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-3629-1: MySQL vulnerabilities

23 April 2018
mysql-5.5, mysql-5.7 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

    Ubuntu 17.10
    Ubuntu 16.04 LTS
    Ubuntu 14.04 LTS

Summary

Several security issues were fixed in MySQL.

Software Description

    mysql-5.7 - MySQL database
    mysql-5.5 - MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes new
upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.60 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, and 
Ubuntu 17.10 have been updated to MySQL 5.7.22.

In addition to security fixes, the updated packages contain bug fixes, new 
features, and possibly incompatible changes.

Please see the following for more information: 
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-22.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Update instructions

The problem can be corrected by updating your system to the following package 
versions:

Ubuntu 17.10
    mysql-server-5.7 - 5.7.22-0ubuntu0.17.10.1
Ubuntu 16.04 LTS
    mysql-server-5.7 - 5.7.22-0ubuntu0.16.04.1
Ubuntu 14.04 LTS
    mysql-server-5.5 - 5.5.60-0ubuntu0.14.04.1

To update your system, please follow these instructions: 
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

    CVE-2018-2755
    CVE-2018-2758
    CVE-2018-2759
    CVE-2018-2761
    CVE-2018-2762
    CVE-2018-2766
    CVE-2018-2769
    CVE-2018-2771
    CVE-2018-2773
    CVE-2018-2775
    CVE-2018-2776
    CVE-2018-2777
    CVE-2018-2778
    CVE-2018-2779
    CVE-2018-2780
    CVE-2018-2781
    CVE-2018-2782
    CVE-2018-2784
    CVE-2018-2786
    CVE-2018-2787
    CVE-2018-2810
    CVE-2018-2812
    CVE-2018-2813
    CVE-2018-2816
    CVE-2018-2817
    CVE-2018-2818
    CVE-2018-2819
    CVE-2018-2839
    CVE-2018-2846

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWuEbL4x+lLeg9Ub1AQiL+A/+NWQOvrgPRWjfCsIBYq2MkxFC1m06cM/N
R6emk8l4nKs6qjdb5iSj/LDNnsE5m5jeUZtcZLuktFvf46JpQsiJcPPy750RQepC
fzwb5A3OlM0xwO4YUSGnXSZ7o1FtSri8VsiSCXZnORock9jtNY0UHLDUfOtokG4I
i+UHGWbCWPdS6Ejq+7aUBeG+FhxXYpkJxAVCCC/F0mWxX8UHJjJlzlrtmkUMCZMn
f2MAe8qPWmoRS/DIHqkGjWZywSZJBgQHnvZVIk8t/tSgq8jrJ9yXFeQLn8JFs/ou
kVHKC00PLW1Ppt1oO5EXVyHZqZMSZIT0ayBTcISJkkK5hcfcsF+ZiMPUPsR4K5My
R3wCKNAy4ddYpYAuJRgjXoMk8wXm8KVqwqap/4VrpMmCoadD0lfUxTjwVsC5AH2z
hmHikK/8B1TiFTu0FQHxNAIHQy2apU0ZgccYarR0ZqdkzNGG6jiE6YzkYArQCbvX
BbAeP73zL2od2mW/OsNwC97b+672zt5fs6takpTfaU6Xy16HH1+pPwg1nkQ5FZYT
Pw1gM3bs4/FLXun/6WWBH+Ven7QzBlThnA2pI30Gs9xOlJOo4cY3wiqMXEahsvlh
xsfb6G6jPFL5R8IRc+j+tSBy/0EnPMvcB3T9Y7hePcPj5B9mNyLGlgmMutAsIa5G
skoY1htmHS4=
=jiNm
-----END PGP SIGNATURE-----

« Back to bulletins