CVE-2012-5615

Published: 3 December 2012

Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.

Priority

Status

Package	Release	Status
mariadb-5.5 Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Does not exist
	trusty	Does not exist (trusty was not-affected [5.5.36-1])
	upstream	Released (5.5.29)
	utopic	Not vulnerable (5.5.36-1)
	vivid	Does not exist
	wily	Does not exist
mysql-5.5 Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Does not exist
	oneiric	Does not exist
	precise	Released (5.5.40-0ubuntu0.12.04.1)
	quantal	Ignored (end of life)
	raring	Ignored (end of life)
	saucy	Ignored (end of life)
	trusty	Released (5.5.40-0ubuntu0.14.04.1)
	upstream	Released (5.5.39)
	utopic	Not vulnerable (5.5.39-0ubuntu4)
	vivid	Does not exist
	wily	Does not exist
	Patches: upstream: http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4676
mysql-5.6 Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Does not exist
	trusty	Released (5.6.27-0ubuntu0.14.04.1)
	upstream	Released (5.6.20)
	utopic	Ignored (end of life)
	vivid	Not vulnerable (5.6.23-1~exp1~ubuntu4)
	wily	Not vulnerable (5.6.23-1~exp1~ubuntu4)
mysql-dfsg-5.1 Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Ignored (end of life)
	oneiric	Does not exist
	precise	Does not exist
	quantal	Does not exist
	raring	Does not exist
	saucy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›