Your submission was sent successfully! Close

CVE-2012-2122

Published: 11 June 2012

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

Notes

AuthorNote
jdstrand
mysql-cluster-7.0 not supported per Ubuntu Server team
Priority

High

Status

Package Release Status
mysql-5.1
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

natty
Released (5.1.63-0ubuntu0.11.04.1)
oneiric
Released (5.1.63-0ubuntu0.11.10.1)
precise Does not exist

upstream
Released (5.1.63)
mysql-5.5
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

natty Does not exist

oneiric Does not exist

precise
Released (5.5.24-0ubuntu0.12.04.1)
upstream
Released (5.5.24)
Patches:
upstream: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
mysql-cluster-7.0
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Ignored

natty Ignored

oneiric Ignored

precise Does not exist

upstream Needs triage

mysql-dfsg-5.0
Launchpad, Ubuntu, Debian
hardy
Released (5.0.96-0ubuntu3)
lucid Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

upstream Needs triage

mysql-dfsg-5.1
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (5.1.63-0ubuntu0.10.04.1)
natty Does not exist

oneiric Does not exist

precise Does not exist

upstream
Released (5.1.63)