CVE-2012-5615

NameCVE-2012-5615
DescriptionOracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3054-1
NVD severitymedium (attack range: remote)
Debian Bugs695001

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mysql-5.5 (PTS)wheezy5.5.47-0+deb7u1fixed
wheezy (security)5.5.58-0+deb7u1fixed
jessie (security), jessie5.5.58-0+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mariadb-5.5source(unstable)(not affected)
mysql-5.1source(unstable)(unfixed)low695001
mysql-5.5source(unstable)5.5.39-1low695001
mysql-5.5sourcewheezy5.5.40-0+wheezy1mediumDSA-3054-1

Notes

- mariadb-5.5 <not-affected> (Fixed before initial upload to archive)
[squeeze] - mysql-5.1 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.1.x)
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4676
https://mariadb.atlassian.net/browse/MDEV-3909
http://seclists.org/fulldisclosure/2012/Dec/9

Search for package or bug name: Reporting problems