IUS Community Project

CVE-2012-2122 apply to mysql55?

Asked by Leif Neve

Your mysql55 package is at revision 24. A security alert came out in the last couple of days (CVE-2012-2122) telling folks with non-vendor-supplied MySQL to upgrade to 5.5.25. Does this vulnerability apply to your package, and if so will an upgrade be forthcoming soon? Thanks.

Question information

Language:
English Edit question
Status:
Solved
For:
IUS Community Project Edit question
Assignee:
No assignee Edit question
Solved by:
Dustin Henry Offutt
Solved:
Last query:
Last reply:
Revision history for this message
Best Dustin Henry Offutt (dhoffutt) said : 		#1

Hello Leif,

The CVE-2012-2122 vulnerability does not apply to the IUS Community MySQL 5.5.24 packages in that the vulnerability has been alleged to only affect MySQL and MariaDB servers up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22.

Regardless, the IUS Community MySQL 5.5.24 package exhaustively tested for the authentication bypass vulnerability and the test was unsuccessful in broaching authentication.

Bit of trivia, the IUS Community MySQL 5.5.25 package is presently available in the IUS testing repository. One may install it by adding "--enablerepo ius-testing" to the yum command.

Thank you, Dusty

Revision history for this message
Leif Neve (leifneve) said : 		#2

Thanks Dustin Henry Offutt, that solved my question.

Revision history for this message
Leif Neve (leifneve) said : 		#3

Duh, a bit of more careful reading of the advisory would have answered my question. Thanks. BTW, I notice the advisory says nothing about MySQL 5.0.x. Do you happen to know whether the vulnerability applies to these versions?

Revision history for this message
Dustin Henry Offutt (dhoffutt) said : 		#4

Pleasure! Not sure about 5.0.x.... Sorry

Revision history for this message
Dustin Henry Offutt (dhoffutt) said : 		#5

Leif, by the way, if you have an instance installed somewhere and want to test it, it's as simple as this:

$ for i in $(seq 1 300); do mysql -u root --password=bad 2>/dev/null; done

Must use a username that is valid on the system. If login isn't achieved, should be safe.

Revision history for this message
Leif Neve (leifneve) said : 		#6

Thanks. I used a python script I saw that does something similar and my 5.0.x servers passed.