From nobody Mon Oct 23 18:08:50 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SDjql1P3bz4yKx9; Mon, 23 Oct 2023 18:08:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SDjql0wHMz3F05; Mon, 23 Oct 2023 18:08:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698084531; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qKGErHmV89G8IWzGEUKD17pW5vjVuMOk3zGt7U6lZEE=; b=U4nrFsyCslq/jlCN4jZ9JM6KxzHHZ+7532pGa7uDZnjtjgAniTcnT2LzWjPvL6bCYxtONa WuuFKPj9ERqdihtU7lNgeXgA4DShGHbOkVK9Gz9888jPt1UhnD8Y7gasXudL95oGVQRM5R bgLNePueRQi0HfRxScb1egWzEnlh1SR6CYXUwfLT9f3zX83oIzZpfy0jz/cuX+6+UbuGfC 3aoJX6pFwA169uOlm6tVYsvQxkBn8fGvShR+LOh41mFtVy2RKRDUldJ8OUZVLT9bveW9VO Qy9aieCHkiy2hubgsU6daufTadVLysNiR/hf1EzvGk6hyFXHbfVrl34tkPi2pg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698084531; a=rsa-sha256; cv=none; b=QwSw3i5jSgeca5A+752HAdwOee68gImv6D52a5KItSm/jMj0E3k6rxcMbWTec1z931n0Mx aJGmekVk4mYIuiHu4UuH9ZIpZMb+6/DcUYVtqK++ZkWHqSI39R1QkNokwbIAsn+3Zds7mo eHel6MwbpJk+xUd0AEbx+4VR5cAfG6aETGtzBY4BGPweOdeaI5HgNf2MD43mdkOB7lXgfI JWgCEzo4DgFy+O1u2SOku+y3ahLg5nTgUPGc8A9ifNwm56WXMHpHAwHKxQMn+dOe9PMYOk r5CixIv0xcHmOlzUWCguXsHo5RYz3Q13EOm7R3eUMtMf7I9xp9hXPCpJMuX31A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698084531; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qKGErHmV89G8IWzGEUKD17pW5vjVuMOk3zGt7U6lZEE=; b=fRZ0xgOqlTelmHtsSMeBUUGY5ZqCovJPY+P2lM8OGru9us+6CoLUvW4esa8/aIbZG9+w+v sTDPiS2++EImswEwlvHjA+H6Mqh9NYxp4krw/HbfDCen9TDNTyy2qzVigLx7VsI6+tXmmW ShmJV6gYQYMyLmJcXp8GcYF8QMkHTRFWFDhcR4JU0su68A/Rb+4Ka1IuTdcrdYcTNdfAS3 wfR23sC6bpK2jjUnUkPOfXNRqMdtAf7frjyu1WC4itsvj2/Q+bX7AMrePdLJkKaBRRCQHJ 412olHw2JMnSojy/k5utiWCeiphKPIhL5ldr2g+Kx6CkM9llI22/gNTHTc348Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SDjqk6qzQzqZ9; Mon, 23 Oct 2023 18:08:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39NI8ou5032023; Mon, 23 Oct 2023 18:08:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39NI8o5B032020; Mon, 23 Oct 2023 18:08:50 GMT (envelope-from git) Date: Mon, 23 Oct 2023 18:08:50 GMT Message-Id: <202310231808.39NI8o5B032020@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bernard Spil Subject: git: 3f3224feea96 - main - security/vuxml: Document MySQL vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: brnrd X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3f3224feea965a2c2b80160c2e7604685880add7 Auto-Submitted: auto-generated The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=3f3224feea965a2c2b80160c2e7604685880add7 commit 3f3224feea965a2c2b80160c2e7604685880add7 Author: Bernard Spil AuthorDate: 2023-10-23 18:08:48 +0000 Commit: Bernard Spil CommitDate: 2023-10-23 18:08:48 +0000 security/vuxml: Document MySQL vulnerabilities --- security/vuxml/vuln/2023.xml | 91 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 83 insertions(+), 8 deletions(-) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 16f74bd4b19c..7e90f35c98f3 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,21 +1,96 @@ + + MySQL -- Multiple vulnerabilities + + + mysql57-server + 5.7.44 + + + mysql-connector-c++ + 8.0.35 + + + mysql-connector-j + 8.1.1 + + + mysql-connector-odbc + 8.1.1 + + + mysql80-server + 8.0.35 + + + + +

Oracle reports:

+
+

This Critical Patch Update contains 37 new security patches, plus + additional third party patches noted below, for Oracle MySQL. 9 of + these vulnerabilities may be remotely exploitable without + authentication, i.e., may be exploited over a network without + requiring user credentials.

+
+ +
+ + CVE-2022-42898 + CVE-2023-2650 + CVE-2023-3817 + CVE-2023-22015 + CVE-2023-22026 + CVE-2023-22028 + CVE-2023-22032 + CVE-2023-22059 + CVE-2023-22064 + CVE-2023-22065 + CVE-2023-22066 + CVE-2023-22068 + CVE-2023-22070 + CVE-2023-22078 + CVE-2023-22079 + CVE-2023-22084 + CVE-2023-22092 + CVE-2023-22094 + CVE-2023-22095 + CVE-2023-22097 + CVE-2023-22102 + CVE-2023-22103 + CVE-2023-22104 + CVE-2023-22110 + CVE-2023-22111 + CVE-2023-22112 + CVE-2023-22113 + CVE-2023-22114 + CVE-2023-22115 + CVE-2023-38545 + https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixMSQL + + + 2023-10-17 + 2023-10-23 + +
+ Request Tracker -- multiple vulnerabilities - rt44 - 4.4.6 + rt44 + 4.4.6 - rt50 - 5.0.4 + rt50 + 5.0.4 -

Request Tracker reports:

-

CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.

-

CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.

-

CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.

+

Request Tracker reports:

+

CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.

+

CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.

+

CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.