PublicDateAtUSN: 2012-06-11
Candidate: CVE-2012-2122
PublicDate: 2012-06-26 18:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
 http://seclists.org/oss-sec/2012/q2/493
 https://mariadb.atlassian.net/browse/MDEV-212
 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
 http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
 https://ubuntu.com/security/notices/USN-1467-1
Description:
 sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24,
 and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before
 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in
 certain environments with certain implementations of the memcmp function,
 allows remote attackers to bypass authentication by repeatedly
 authenticating with the same incorrect password, which eventually causes a
 token comparison to succeed due to an improperly-checked return value.
Ubuntu-Description: 
Notes: 
 jdstrand> mysql-cluster-7.0 not supported per Ubuntu Server team
Bugs: 
 http://bugs.mysql.com/bug.php?id=64884
Priority: high
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_mysql-dfsg-5.0:
upstream_mysql-dfsg-5.0: needs-triage
hardy_mysql-dfsg-5.0: released (5.0.96-0ubuntu3)
lucid_mysql-dfsg-5.0: DNE
natty_mysql-dfsg-5.0: DNE
oneiric_mysql-dfsg-5.0: DNE
precise_mysql-dfsg-5.0: DNE
devel_mysql-dfsg-5.0: DNE

Patches_mysql-dfsg-5.1:
upstream_mysql-dfsg-5.1: released (5.1.63)
hardy_mysql-dfsg-5.1: DNE
lucid_mysql-dfsg-5.1: released (5.1.63-0ubuntu0.10.04.1)
natty_mysql-dfsg-5.1: DNE
oneiric_mysql-dfsg-5.1: DNE
precise_mysql-dfsg-5.1: DNE
devel_mysql-dfsg-5.1: DNE

Patches_mysql-5.1:
upstream_mysql-5.1: released (5.1.63)
hardy_mysql-5.1: DNE
lucid_mysql-5.1: DNE
natty_mysql-5.1: released (5.1.63-0ubuntu0.11.04.1)
oneiric_mysql-5.1: released (5.1.63-0ubuntu0.11.10.1)
precise_mysql-5.1: DNE
devel_mysql-5.1: DNE

Patches_mysql-5.5:
 upstream: http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/3560.10.17
upstream_mysql-5.5: released (5.5.24)
hardy_mysql-5.5: DNE
lucid_mysql-5.5: DNE
natty_mysql-5.5: DNE
oneiric_mysql-5.5: DNE
precise_mysql-5.5: released (5.5.24-0ubuntu0.12.04.1)
devel_mysql-5.5: released (5.5.25-0ubuntu1)

Patches_mysql-cluster-7.0:
upstream_mysql-cluster-7.0: needs-triage
hardy_mysql-cluster-7.0: DNE
lucid_mysql-cluster-7.0: ignored
natty_mysql-cluster-7.0: ignored
oneiric_mysql-cluster-7.0: ignored
precise_mysql-cluster-7.0: DNE
devel_mysql-cluster-7.0: DNE