MySQL: Access Confidential Data -- Remote/Unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0046
                     Multiple vulnerabilities in yaSSL
                               22 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              MySQL
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Access Confidential Data -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1623 CVE-2012-4929 
Member content until: Sunday, April 21 2013
Reference:            ESB-2013.0383
                      ESB-2013.0316
                      ESB-2013.0217
                      ESB-2013.0216
                      ESB-2012.1126

OVERVIEW

        Multiple vulnerabilities have been identified in MySQL v5.1.68, 5.5.30
        and 5.6.11 and earlier. [1]


IMPACT

        The vendor has stated that this update fixes the following 
        vulnerabilities: 
        
        "CVE-2013-1623 Vulnerability allows statistical analysis of timing data 
        of crafted packets
        
        CVE-2012-4929 Cryptographic vulnerabiility" [1]


MITIGATION

        The vendor recommends updating to the latest version of MySQL to 
        correct these issues. [1]


REFERENCES

        [1] Multiple vulnerabilities in yaSSL
            https://blogs.oracle.com/sunsecurity/entry/cve_2013_1492_buffer_overflow

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUUu/xO4yVqjM2NGpAQKpDxAAhN1SGiDp8pIAzfAxScxBAVIU1XTs6vNK
9f9Ja53iVIqq5e4WExqPAIc9JQ982U6suifjW3sTqPYXfeSmf0QUwd3kOivQ0t5J
+yUIZKFu+SP/exRv73iYw62xQEi1EG4DDP2/uPxqB6krJjhdkvXfcveE8YhydBG8
XU10xDYfbNzqzngH4aN+U3ZZBDYOabt+oGtkuHF21YfVbLHrOyAx8la5IKBKfJUe
wjpgbcCFfepBWpFlocf0X3ndw4Be33vwJotkIYTqSZhCgUBCE/XMQD3r18Y5RcpP
DGH1c17ax3YjY5KUNIVsWhj3O68ZfvuAWL/bQLePftKG1hWwq1IfsQHP9Uz8mQw8
2j9GQpwx71SmDRpmVH8Se1ABHLBxpctJF6J8dNt58BISf4KoPOn/W3UkCi719xTy
XC/p7oNGoUVWbII9OEXsKB2Rt0/FcZY8gXfULVRS/zW+glG2UhagAvVwFY6MgbJK
ug/gyRdedAPBK+JYFFDrpr2YtHWdVbb1HMShiOTgGqoTyDzwHX35f87GR7XulZda
7yzomvZlDx4fMsG/nxTUMMu6U71ocOLo7+KsHMoQHhrYHTMfdum0jcfcEUNEet10
Ovj1H5fLHZ1Z1q90lplAXCiIU6TJRU5KpmQcPKjdeKWoDdQg81Hhf1YdbXnzXsnm
9OOH5cPusl8=
=Sc0v
-----END PGP SIGNATURE-----