ALAS-2016-738


Amazon Linux AMI Security Advisory: ALAS-2016-738
Advisory Release Date: 2016-08-17 13:30 Pacific
Severity: Important

Issue Overview:

It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. (CVE-2016-2047 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to UDF. (CVE-2016-0608 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to privileges. (CVE-2016-0609 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Options. (CVE-2016-0505 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. (CVE-2016-0600 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0616 )

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption. (CVE-2016-3452 )

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to DDL. (CVE-2016-0644 )

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. (CVE-2016-3477 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0596 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0597 )

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect integrity and availability via vectors related to DML. (CVE-2016-0640 )

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. (CVE-2016-3521 )

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect integrity and availability via vectors related to Federated. (CVE-2016-0642 )

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect confidentiality via vectors related to DML. (CVE-2016-0643 )

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to Security: Privileges. (CVE-2016-0666 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer. (CVE-2016-0651 )

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to Replication. (CVE-2016-0650 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0598 )

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to PS. (CVE-2016-0649 )

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. (CVE-2016-5440 )

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Connection. (CVE-2016-5444 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect integrity via unknown vectors related to encryption. (CVE-2016-0606 )

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to PS. (CVE-2016-0648 )

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to DML. (CVE-2016-0646 )

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. (CVE-2016-0546 )

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to FTS. (CVE-2016-0647 )

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote authenticated users to affect availability via vectors related to Server: DML. (CVE-2016-3615 )

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect confidentiality and availability via vectors related to MyISAM. (CVE-2016-0641 )


Affected Packages:

mysql55


Issue Correction:
Run yum update mysql55 to update your system.

New Packages:
i686:
    mysql55-libs-5.5.51-1.11.amzn1.i686
    mysql55-debuginfo-5.5.51-1.11.amzn1.i686
    mysql55-bench-5.5.51-1.11.amzn1.i686
    mysql55-embedded-devel-5.5.51-1.11.amzn1.i686
    mysql55-test-5.5.51-1.11.amzn1.i686
    mysql55-devel-5.5.51-1.11.amzn1.i686
    mysql55-5.5.51-1.11.amzn1.i686
    mysql55-server-5.5.51-1.11.amzn1.i686
    mysql-config-5.5.51-1.11.amzn1.i686
    mysql55-embedded-5.5.51-1.11.amzn1.i686

src:
    mysql55-5.5.51-1.11.amzn1.src

x86_64:
    mysql-config-5.5.51-1.11.amzn1.x86_64
    mysql55-bench-5.5.51-1.11.amzn1.x86_64
    mysql55-debuginfo-5.5.51-1.11.amzn1.x86_64
    mysql55-libs-5.5.51-1.11.amzn1.x86_64
    mysql55-server-5.5.51-1.11.amzn1.x86_64
    mysql55-embedded-5.5.51-1.11.amzn1.x86_64
    mysql55-embedded-devel-5.5.51-1.11.amzn1.x86_64
    mysql55-devel-5.5.51-1.11.amzn1.x86_64
    mysql55-test-5.5.51-1.11.amzn1.x86_64
    mysql55-5.5.51-1.11.amzn1.x86_64