CVE-2014-0001

NameCVE-2014-0001
DescriptionBuffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDLA-75-1, DSA-2919-1
NVD severityhigh (attack range: remote)
Debian Bugs737596, 737597
Debian/oldoldstablepackage mysql-5.1 is vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mysql-5.1 (PTS)squeeze, squeeze (security)5.1.73-1vulnerable
squeeze (lts)5.1.73-1+deb6u1fixed
mysql-5.5 (PTS)wheezy5.5.40-0+wheezy1fixed
wheezy (security)5.5.43-0+deb7u1fixed
stretch, sid, jessie (security), jessie5.5.43-0+deb8u1fixed
percona-xtradb-cluster-5.5 (PTS)sid5.5.39-25.11+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mariadb-5.5source(unstable)5.5.35-1low737597
mysql-5.1source(unstable)(unfixed)low
mysql-5.1sourcesqueeze5.1.73-1+deb6u1highDLA-75-1
mysql-5.5source(unstable)5.5.37-1low737596
mysql-5.5sourcewheezy5.5.37-0+wheezy1highDSA-2919-1
percona-xtradb-cluster-5.5source(unstable)5.5.37-25.10+dfsg-1high

Notes

[squeeze] - mysql-5.1 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.1.x)
https://bugzilla.redhat.com/show_bug.cgi?id=1054592
http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64

Search for package or bug name: Reporting problems