openSUSE Security Update: Security update for MySQL ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:0367-1 Rating: important References: #957174 #959724 #962779 Cross-References: CVE-2015-5969 CVE-2015-7744 CVE-2016-0502 CVE-2016-0503 CVE-2016-0504 CVE-2016-0505 CVE-2016-0546 CVE-2016-0594 CVE-2016-0595 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0605 CVE-2016-0606 CVE-2016-0607 CVE-2016-0608 CVE-2016-0609 CVE-2016-0610 CVE-2016-0611 Affected Products: openSUSE Leap 42.1 openSUSE 13.2 ______________________________________________________________________________ An update that fixes 20 vulnerabilities is now available. Description: This update to MySQL 5.6.28 fixes the following issues (bsc#962779): - CVE-2015-7744: Lack of verification against faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack. - CVE-2016-0502: Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. - CVE-2016-0503: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0504. - CVE-2016-0504: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0503. - CVE-2016-0505: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Options. - CVE-2016-0546: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. - CVE-2016-0594: Unspecified vulnerability in Oracle MySQL 5.6.21 and earlier allows remote authenticated users to affect availability via vectors related to DML. - CVE-2016-0595: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML. - CVE-2016-0596: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML. - CVE-2016-0597: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. - CVE-2016-0598: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML. - CVE-2016-0600: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. - CVE-2016-0605: Unspecified vulnerability in Oracle MySQL 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors. - CVE-2016-0606: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows remote authenticated users to affect integrity via unknown vectors related to encryption. - CVE-2016-0607: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to replication. - CVE-2016-0608: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows remote authenticated users to affect availability via vectors related to UDF. - CVE-2016-0609: Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to privileges. - CVE-2016-0610: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. - CVE-2016-0611: Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. - CVE-2015-5969: Fixed information leak via mysql-systemd-helper script. (bsc#957174) - bsc#959724: Possible buffer overflow from incorrect use of strcpy() and sprintf() Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-165=1 - openSUSE 13.2: zypper in -t patch openSUSE-2016-165=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): libmysql56client18-5.6.28-13.1 libmysql56client18-debuginfo-5.6.28-13.1 libmysql56client_r18-5.6.28-13.1 mysql-community-server-5.6.28-13.1 mysql-community-server-bench-5.6.28-13.1 mysql-community-server-bench-debuginfo-5.6.28-13.1 mysql-community-server-client-5.6.28-13.1 mysql-community-server-client-debuginfo-5.6.28-13.1 mysql-community-server-debuginfo-5.6.28-13.1 mysql-community-server-debugsource-5.6.28-13.1 mysql-community-server-errormessages-5.6.28-13.1 mysql-community-server-test-5.6.28-13.1 mysql-community-server-test-debuginfo-5.6.28-13.1 mysql-community-server-tools-5.6.28-13.1 mysql-community-server-tools-debuginfo-5.6.28-13.1 - openSUSE Leap 42.1 (x86_64): libmysql56client18-32bit-5.6.28-13.1 libmysql56client18-debuginfo-32bit-5.6.28-13.1 libmysql56client_r18-32bit-5.6.28-13.1 - openSUSE 13.2 (i586 x86_64): libmysql56client18-5.6.28-2.17.1 libmysql56client18-debuginfo-5.6.28-2.17.1 libmysql56client_r18-5.6.28-2.17.1 mysql-community-server-5.6.28-2.17.1 mysql-community-server-bench-5.6.28-2.17.1 mysql-community-server-bench-debuginfo-5.6.28-2.17.1 mysql-community-server-client-5.6.28-2.17.1 mysql-community-server-client-debuginfo-5.6.28-2.17.1 mysql-community-server-debuginfo-5.6.28-2.17.1 mysql-community-server-debugsource-5.6.28-2.17.1 mysql-community-server-errormessages-5.6.28-2.17.1 mysql-community-server-test-5.6.28-2.17.1 mysql-community-server-test-debuginfo-5.6.28-2.17.1 mysql-community-server-tools-5.6.28-2.17.1 mysql-community-server-tools-debuginfo-5.6.28-2.17.1 - openSUSE 13.2 (x86_64): libmysql56client18-32bit-5.6.28-2.17.1 libmysql56client18-debuginfo-32bit-5.6.28-2.17.1 libmysql56client_r18-32bit-5.6.28-2.17.1 References: https://www.suse.com/security/cve/CVE-2015-5969.html https://www.suse.com/security/cve/CVE-2015-7744.html https://www.suse.com/security/cve/CVE-2016-0502.html https://www.suse.com/security/cve/CVE-2016-0503.html https://www.suse.com/security/cve/CVE-2016-0504.html https://www.suse.com/security/cve/CVE-2016-0505.html https://www.suse.com/security/cve/CVE-2016-0546.html https://www.suse.com/security/cve/CVE-2016-0594.html https://www.suse.com/security/cve/CVE-2016-0595.html https://www.suse.com/security/cve/CVE-2016-0596.html https://www.suse.com/security/cve/CVE-2016-0597.html https://www.suse.com/security/cve/CVE-2016-0598.html https://www.suse.com/security/cve/CVE-2016-0600.html https://www.suse.com/security/cve/CVE-2016-0605.html https://www.suse.com/security/cve/CVE-2016-0606.html https://www.suse.com/security/cve/CVE-2016-0607.html https://www.suse.com/security/cve/CVE-2016-0608.html https://www.suse.com/security/cve/CVE-2016-0609.html https://www.suse.com/security/cve/CVE-2016-0610.html https://www.suse.com/security/cve/CVE-2016-0611.html https://bugzilla.suse.com/957174 https://bugzilla.suse.com/959724 https://bugzilla.suse.com/962779 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org