Amazon Linux Security Advisory for mysql55: ALAS-2016-738——漏洞银行丨0DAY BANK

It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. (CVE-2016-2047)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to UDF. (CVE-2016-0608)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to privileges. (CVE-2016-0609)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Options. (CVE-2016-0505)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. (CVE-2016-0600)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0616)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption. (CVE-2016-3452)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to DDL. (CVE-2016-0644)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. (CVE-2016-3477)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0596)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0597)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect integrity and availability via vectors related to DML. (CVE-2016-0640)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. (CVE-2016-3521)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect integrity and availability via vectors related to Federated. (CVE-2016-0642)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect confidentiality via vectors related to DML. (CVE-2016-0643)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows local users to affect availability via vectors related to Security: Privileges. (CVE-2016-0666)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer. (CVE-2016-0651)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to Replication. (CVE-2016-0650)

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2016-0598)

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier allows local users to affect availability via vectors related to PS. (CVE-2016-0649)

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. (CVE-2016-5440)

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Connection. (CVE-2016-5444)

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

Please refer to Amazon advisory ALAS-2016-738 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2016-738: Amazon Linux (mysql55 (5.5.51-1.11.amzn1) on i686)

ALAS-2016-738: Amazon Linux (mysql55 (5.5.51-1.11.amzn1) on x86_64)

ALAS-2016-738: Amazon Linux (mysql55 (5.5.51-1.11.amzn1) on src)