Issued:

2018-03-26

Updated:

2018-03-26

RHSA-2018:0586 - Important: rh-mysql57-mysql security update

Synopsis

Important: rh-mysql57-mysql security update

Type/Severity

Security Advisory Important

Topic

An update for rh-mysql57-mysql is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.

The following packages have been upgraded to a later upstream version: rh-mysql57-mysql (5.7.21). (BZ#1533832)

Security Fix(es):

• mysql: sha256_password authentication DoS via long password (CVE-2018-2696)

• mysql: Server: InnoDB unspecified vulnerability (CPU Jan 2018) (CVE-2018-2565)

• mysql: Server: GIS unspecified vulnerability (CPU Jan 2018) (CVE-2018-2573)

• mysql: Server: DML unspecified vulnerability (CPU Jan 2018) (CVE-2018-2576)

• mysql: Stored Procedure unspecified vulnerability (CPU Jan 2018) (CVE-2018-2583)

• mysql: Server: DML unspecified vulnerability (CPU Jan 2018) (CVE-2018-2586)

• mysql: Server: Performance Schema unspecified vulnerability (CPU Jan 2018) (CVE-2018-2590)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2600)

• mysql: InnoDB unspecified vulnerability (CPU Jan 2018) (CVE-2018-2612)

• mysql: Server: DDL unspecified vulnerability (CPU Jan 2018) (CVE-2018-2622)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2640)

• mysql: Server: Performance Schema unspecified vulnerability (CPU Jan 2018) (CVE-2018-2645)

• mysql: Server: DML unspecified vulnerability (CPU Jan 2018) (CVE-2018-2646)

• mysql: Server: Replication unspecified vulnerability (CPU Jan 2018) (CVE-2018-2647)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2665)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2667)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2668)

• mysql: sha256_password authentication DoS via hash with large rounds value (CVE-2018-2703)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

The CVE-2018-2696 and CVE-2018-2703 issues were discovered by Red Hat Product Security.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

Affected Products

Updated Packages

• rh-mysql57-mysql-errmsg-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-devel-5.7.21-2.el7.1.x86_64.rpm
• rh-mysql57-mysql-devel-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-common-5.7.21-2.el7.1.x86_64.rpm
• rh-mysql57-mysql-5.7.21-2.el6.1.src.rpm
• rh-mysql57-mysql-5.7.21-2.el7.1.src.rpm
• rh-mysql57-mysql-config-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-config-5.7.21-2.el7.1.x86_64.rpm
• rh-mysql57-mysql-common-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-test-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-errmsg-5.7.21-2.el7.1.x86_64.rpm
• rh-mysql57-mysql-server-5.7.21-2.el7.1.x86_64.rpm
• rh-mysql57-mysql-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-server-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-test-5.7.21-2.el7.1.x86_64.rpm
• rh-mysql57-mysql-5.7.21-2.el7.1.x86_64.rpm
• rh-mysql57-mysql-debuginfo-5.7.21-2.el6.1.x86_64.rpm
• rh-mysql57-mysql-debuginfo-5.7.21-2.el7.1.x86_64.rpm

Fixes

• This content is not included.BZ - 1509475
• This content is not included.BZ - 1534139
• This content is not included.BZ - 1535486
• This content is not included.BZ - 1535487
• This content is not included.BZ - 1535488
• This content is not included.BZ - 1535490
• This content is not included.BZ - 1535491
• This content is not included.BZ - 1535492
• This content is not included.BZ - 1535496
• This content is not included.BZ - 1535497
• This content is not included.BZ - 1535499
• This content is not included.BZ - 1535500
• This content is not included.BZ - 1535501
• This content is not included.BZ - 1535502
• This content is not included.BZ - 1535503
• This content is not included.BZ - 1535504
• This content is not included.BZ - 1535505
• This content is not included.BZ - 1535506

CVEs

• CVE-2018-2565
• CVE-2018-2573
• CVE-2018-2576
• CVE-2018-2583
• CVE-2018-2586
• CVE-2018-2590
• CVE-2018-2600
• CVE-2018-2612
• CVE-2018-2622
• CVE-2018-2640
• CVE-2018-2645
• CVE-2018-2646
• CVE-2018-2647
• CVE-2018-2665
• CVE-2018-2667
• CVE-2018-2668
• CVE-2018-2696
• CVE-2018-2703

References

• https://access.redhat.com/security/updates/classification/#important
• Content from www.oracle.com is not included.Content from www.oracle.com is not included.http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL
• Content from dev.mysql.com is not included.Content from dev.mysql.com is not included.https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.