Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2584
USN-4441-1: MySQL vulnerabilities
29 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: MySQL
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Modify Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Read-only Data Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14702 CVE-2020-14697 CVE-2020-14680
CVE-2020-14678 CVE-2020-14663 CVE-2020-14656
CVE-2020-14654 CVE-2020-14651 CVE-2020-14643
CVE-2020-14641 CVE-2020-14634 CVE-2020-14633
CVE-2020-14632 CVE-2020-14631 CVE-2020-14624
CVE-2020-14623 CVE-2020-14620 CVE-2020-14619
CVE-2020-14597 CVE-2020-14591 CVE-2020-14586
CVE-2020-14576 CVE-2020-14575 CVE-2020-14568
CVE-2020-14559 CVE-2020-14553 CVE-2020-14550
CVE-2020-14547 CVE-2020-14540 CVE-2020-14539
Reference: ASB-2020.0132
Original Bulletin:
https://usn.ubuntu.com/4441-1/
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-4441-1: MySQL vulnerabilities
28 July 2020
Several security issues were fixed in MySQL.
Releases
o Ubuntu 20.04 LTS
o Ubuntu 18.04 LTS
o Ubuntu 16.04 LTS
Packages
o mysql-5.7 - MySQL database
o mysql-8.0 - MySQL database
Details
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 8.0.21 in Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS have been updated to MySQL 5.7.31.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-31.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-21.html
https://www.oracle.com/security-alerts/cpujul2020.html
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 20.04
o mysql-server-8.0 - 8.0.21-0ubuntu0.20.04.3
Ubuntu 18.04
o mysql-server-5.7 - 5.7.31-0ubuntu0.18.04.1
Ubuntu 16.04
o mysql-server-5.7 - 5.7.31-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References
o CVE-2020-14633
o CVE-2020-14654
o CVE-2020-14550
o CVE-2020-14623
o CVE-2020-14576
o CVE-2020-14591
o CVE-2020-14559
o CVE-2020-14568
o CVE-2020-14540
o CVE-2020-14643
o CVE-2020-14656
o CVE-2020-14553
o CVE-2020-14547
o CVE-2020-14680
o CVE-2020-14539
o CVE-2020-14586
o CVE-2020-14620
o CVE-2020-14624
o CVE-2020-14663
o CVE-2020-14631
o CVE-2020-14697
o CVE-2020-14702
o CVE-2020-14641
o CVE-2020-14619
o CVE-2020-14634
o CVE-2020-14678
o CVE-2020-14597
o CVE-2020-14632
o CVE-2020-14651
o CVE-2020-14575
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXyELKeNLKJtyKPYoAQiT5xAAqH9JNm6ekfOzOudtRUVPMCAwWVlsH48e
pVbROO2bzogGCQU7Mk2Anx8C+0T4E97bEjhO9I4Bkqk176fFZUCAYnxOs5Ouz7/u
YkgjNtLFz01Zk6tzdfOU/Ae91SEdz0BkpVoenvn8l5phuRgit+9hiorcgeohLKrm
ck+3JDPOD2C6uTjVDN9MCn8eNphxr2BI9eJEq6qxjSV2KigmwGK+iDK6DEIobJ6l
jQrEdCqAoFXyyjLTWe7t1NedES91MGWBzDuInZKgdE5PHQAyNemcxLMEbumxlq+G
mIL+/Ee7Hoj4om++9+R4UoHc9z0SwDed1DFj7/J9j74aWJOeHaN3drWqD2uXnWgS
SyQPuaRIVDzgzlLjRTW38WZbcLtMDiP8eY3LLjocfrUK3vpEiSGOI+dG7HRKc8k9
OV9kqIJrG9LsHrOM8jJiOWi9dJHypgnBqEUxoK1spqjx1FJirmPiGdGYJeGprasX
MzEoO/jxjivGQDPjil3A9OR6G2lRyeknH/gYUSIb7sEzykT1WbkjlgsOpjdyYLpM
WpYMX8ynyFvfa1x5TGRrxeRstpEN9t195nNcU+Cehb0PCJGvG/KHuzlm8WmoV7L1
tp2Bf0DR/XygIIX4B87NbZHyU3jT6g4cuNPmVvh1OA3cy1is+EuCccePjrWa8YZA
vl34y1kDzvE=
=W5CI
-----END PGP SIGNATURE-----