Debian 10206 Published by

The following two security updates has been released for Debian GNU/Linux: DSA 2667-1 mysql-5.5 security update and DSA 2666-1 xen security update



[SECURITY] [DSA 2667-1] mysql-5.5 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2667-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 12, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mysql-5.5
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-1502 CVE-2013-1511 CVE-2013-1532 CVE-2013-1544
CVE-2013-2375 CVE-2013-2376 CVE-2013-2389 CVE-2013-2391
CVE-2013-2392

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to a new upstream
version, 5.5.31, which includes additional changes, such as performance
improvements and corrections for data loss defects.

For the stable distribution (wheezy), these problems have been fixed in
version 5.5.31+dfsg-0+wheezy1.

For the unstable distribution (sid), these problems have been fixed in
version 5.5.31+dfsg-1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[SECURITY] [DSA 2666-1] xen security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2666-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
May 12, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xen
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-1918 CVE-2013-1952 CVE-2013-1964

Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2013-1918 (XSA 45) Several long latency operations are not preemptible

Some page table manipulation operations for PV guests were not made
preemptible, allowing a malicious or buggy PV guest kernel to mount a
denial of service attack affecting the whole system.

CVE-2013-1952 (XSA 49) VT-d interrupt remapping source validation flaw for bridges

Due to missing source validation on interrupt remapping table
entries for MSI interrupts set up by bridge devices, a malicious
domain with access to such a device, can mount a denial of service
attack affecting the whole system.

CVE-2013-1964 (XSA 50) grant table hypercall acquire/release imbalance

When releasing a particular, non-transitive grant after doing a grant
copy operation Xen incorrectly releases an unrelated grant
reference, leading possibly to a crash of the host system.
Furthermore information leakage or privilege escalation cannot be
ruled out.

For the oldstable distribution (squeeze), these problems have been fixed in
version 4.0.1-5.11.

For the stable distribution (wheezy), these problems have been fixed in
version 4.1.4-3+deb7u1.

For the testing distribution (jessie), these problems have been fixed in
version 4.1.4-4.

For the unstable distribution (sid), these problems have been fixed in
version 4.1.4-4.

Note that for the stable (wheezy), testing and unstable distribution,
CVE-2013-1964 (XSA 50) was already fixed in version 4.1.4-3.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/