CVE-2018-2767

Name	CVE-2018-2767
Description	Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1407-1, DLA-1566-1, DSA-4341-1
Debian Bugs	904121

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
mariadb-10.0	source	jessie	10.0.35-0+deb8u1	DLA-1407-1
mariadb-10.0	source	(unstable)	(unfixed)
mariadb-10.1	source	stretch	10.1.37-0+deb9u1	DSA-4341-1
mariadb-10.1	source	(unstable)	1:10.1.34-1
mariadb-10.2	source	(unstable)	(unfixed)
mysql-5.5	source	jessie	5.5.62-0+deb8u1	DLA-1566-1
mysql-5.5	source	(unstable)	(unfixed)
mysql-5.7	source	(unstable)	5.7.23-1		904121

Notes

[wheezy] - mysql-5.5 <postponed> (Wait for next upstream security/bugfix release)
https://www.openwall.com/lists/oss-security/2018/04/08/2
Result from an incomplete fix for CVE-2015-3152 and related CVE for
Oracle products.
For MariaDB: if one connects to the remote server using the embedded library
(libmysqld), then SSL is not enforced.
Fixed in MariaDB: 5.5.60, 10.0.35, 10.1.33, 10.2.15, and 10.3.7
https://github.com/MariaDB/server/commit/f5369faf5bbf
For Oracle: https://github.com/mysql/mysql-server/commit/bbc2e37fe4e
fixed in 5.5.61, 5.6.41, 5.7.23
Strictly speaking though the CVE would be only for Oracle MySQL, for practical
reasons still tracking as well MariaDB here.