RHSA-2024:1141 - Security Advisory

Topic

An update for mysql is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

Security Fix(es):

• mysql: InnoDB unspecified vulnerability (CPU Apr 2023) (CVE-2023-21911)
• mysql: Server: DDL unspecified vulnerability (CPU Apr 2023) (CVE-2023-21919, CVE-2023-21929, CVE-2023-21933)
• mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023) (CVE-2023-21920, CVE-2023-21935, CVE-2023-21945, CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982)
• mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023) (CVE-2023-21940, CVE-2023-21947, CVE-2023-21962)
• mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21953)
• mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21955)
• mysql: Server: JSON unspecified vulnerability (CPU Apr 2023) (CVE-2023-21966)
• mysql: Server: DML unspecified vulnerability (CPU Apr 2023) (CVE-2023-21972)
• mysql: Client programs unspecified vulnerability (CPU Apr 2023) (CVE-2023-21980)
• mysql: Server: Replication unspecified vulnerability (CPU Jul 2023) (CVE-2023-22005, CVE-2023-22007, CVE-2023-22057)
• mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22008)
• mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023) (CVE-2023-22032, CVE-2023-22059, CVE-2023-22064, CVE-2023-22065, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22092, CVE-2023-22103, CVE-2023-22110, CVE-2023-22112)
• mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22033)
• mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023) (CVE-2023-22046)
• mysql: Client programs unspecified vulnerability (CPU Jul 2023) (CVE-2023-22053, CVE-2023-22054, CVE-2023-22056)
• mysql: Server: DDL unspecified vulnerability (CPU Jul 2023) (CVE-2023-22058)
• mysql: InnoDB unspecified vulnerability (CPU Oct 2023) (CVE-2023-22066, CVE-2023-22068, CVE-2023-22084, CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)
• mysql: Server: UDF unspecified vulnerability (CPU Oct 2023) (CVE-2023-22111)
• mysql: Server: DML unspecified vulnerability (CPU Oct 2023) (CVE-2023-22115)
• mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024) (CVE-2024-20960)
• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024) (CVE-2024-20961, CVE-2024-20962, CVE-2024-20965, CVE-2024-20966, CVE-2024-2097, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973, CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20982)
• mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024) (CVE-2024-20963)
• mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024) (CVE-2024-20964)
• mysql: Server: Replication unspecified vulnerability (CPU Jan 2024) (CVE-2024-20967)
• mysql: Server: Options unspecified vulnerability (CPU Jan 2024) (CVE-2024-20968)
• mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20969)
• mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20981)
• mysql: Server: DML unspecified vulnerability (CPU Jan 2024) (CVE-2024-20983)
• mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024) (CVE-2024-20984)
• mysql: Server: UDF unspecified vulnerability (CPU Jan 2024) (CVE-2024-20985)
• zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
• mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023) (CVE-2023-22038)
• mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023) (CVE-2023-22048)
• mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023) (CVE-2023-22113)

Bug Fix(es):

• Fix for MySQL bug #33630199 in 8.0.32 introduces regression when --set-gtid-purged=OFF (RHEL-22454)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

Affected Products

• Red Hat Enterprise Linux for x86_64 9 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64
• Red Hat Enterprise Linux Server - AUS 9.6 x86_64
• Red Hat Enterprise Linux Server - AUS 9.4 x86_64
• Red Hat Enterprise Linux for IBM z Systems 9 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x
• Red Hat Enterprise Linux for Power, little endian 9 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le
• Red Hat Enterprise Linux for ARM 64 9 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64
• Red Hat CodeReady Linux Builder for x86_64 9 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
• Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
• Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
• Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64
• Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le
• Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le
• Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x
• Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x
• Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64
• Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x

Fixes

• BZ - 2179864 - CVE-2022-4899 zstd: mysql: buffer overrun in util.c
• BZ - 2188109 - CVE-2023-21911 mysql: InnoDB unspecified vulnerability (CPU Apr 2023)
• BZ - 2188113 - CVE-2023-21919 mysql: Server: DDL unspecified vulnerability (CPU Apr 2023)
• BZ - 2188115 - CVE-2023-21920 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)
• BZ - 2188116 - CVE-2023-21929 mysql: Server: DDL unspecified vulnerability (CPU Apr 2023)
• BZ - 2188117 - CVE-2023-21933 mysql: Server: DDL unspecified vulnerability (CPU Apr 2023)
• BZ - 2188118 - CVE-2023-21935 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)
• BZ - 2188119 - CVE-2023-21940 mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023)
• BZ - 2188120 - CVE-2023-21945 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)
• BZ - 2188121 - CVE-2023-21946 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)
• BZ - 2188122 - CVE-2023-21947 mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023)
• BZ - 2188123 - CVE-2023-21953 mysql: Server: Partition unspecified vulnerability (CPU Apr 2023)
• BZ - 2188124 - CVE-2023-21955 mysql: Server: Partition unspecified vulnerability (CPU Apr 2023)
• BZ - 2188125 - CVE-2023-21962 mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023)
• BZ - 2188127 - CVE-2023-21966 mysql: Server: JSON unspecified vulnerability (CPU Apr 2023)
• BZ - 2188128 - CVE-2023-21972 mysql: Server: DML unspecified vulnerability (CPU Apr 2023)
• BZ - 2188129 - CVE-2023-21976 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)
• BZ - 2188130 - CVE-2023-21977 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)
• BZ - 2188131 - CVE-2023-21980 mysql: Client programs unspecified vulnerability (CPU Apr 2023)
• BZ - 2188132 - CVE-2023-21982 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023)
• BZ - 2224211 - CVE-2023-22005 mysql: Server: Replication unspecified vulnerability (CPU Jul 2023)
• BZ - 2224212 - CVE-2023-22007 mysql: Server: Replication unspecified vulnerability (CPU Jul 2023)
• BZ - 2224213 - CVE-2023-22008 mysql: InnoDB unspecified vulnerability (CPU Jul 2023)
• BZ - 2224214 - CVE-2023-22033 mysql: InnoDB unspecified vulnerability (CPU Jul 2023)
• BZ - 2224215 - CVE-2023-22038 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023)
• BZ - 2224216 - CVE-2023-22046 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023)
• BZ - 2224217 - CVE-2023-22048 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023)
• BZ - 2224218 - CVE-2023-22053 mysql: Client programs unspecified vulnerability (CPU Jul 2023)
• BZ - 2224219 - CVE-2023-22054 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023)
• BZ - 2224220 - CVE-2023-22056 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023)
• BZ - 2224221 - CVE-2023-22057 mysql: Server: Replication unspecified vulnerability (CPU Jul 2023)
• BZ - 2224222 - CVE-2023-22058 mysql: Server: DDL unspecified vulnerability (CPU Jul 2023)
• BZ - 2245014 - CVE-2023-22032 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245015 - CVE-2023-22059 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245016 - CVE-2023-22064 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245017 - CVE-2023-22065 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245018 - CVE-2023-22066 mysql: InnoDB unspecified vulnerability (CPU Oct 2023)
• BZ - 2245019 - CVE-2023-22068 mysql: InnoDB unspecified vulnerability (CPU Oct 2023)
• BZ - 2245020 - CVE-2023-22070 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245021 - CVE-2023-22078 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245022 - CVE-2023-22079 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245023 - CVE-2023-22084 mysql: InnoDB unspecified vulnerability (CPU Oct 2023)
• BZ - 2245024 - CVE-2023-22092 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245026 - CVE-2023-22097 mysql: InnoDB unspecified vulnerability (CPU Oct 2023)
• BZ - 2245027 - CVE-2023-22103 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245028 - CVE-2023-22104 mysql: InnoDB unspecified vulnerability (CPU Oct 2023)
• BZ - 2245029 - CVE-2023-22110 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245030 - CVE-2023-22111 mysql: Server: UDF unspecified vulnerability (CPU Oct 2023)
• BZ - 2245031 - CVE-2023-22112 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023)
• BZ - 2245032 - CVE-2023-22113 mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023)
• BZ - 2245033 - CVE-2023-22114 mysql: InnoDB unspecified vulnerability (CPU Oct 2023)
• BZ - 2245034 - CVE-2023-22115 mysql: Server: DML unspecified vulnerability (CPU Oct 2023)
• BZ - 2258771 - CVE-2024-20960 mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024)
• BZ - 2258772 - CVE-2024-20961 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258773 - CVE-2024-20962 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258774 - CVE-2024-20963 mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024)
• BZ - 2258775 - CVE-2024-20964 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024)
• BZ - 2258776 - CVE-2024-20965 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258777 - CVE-2024-20966 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258778 - CVE-2024-20967 mysql: Server: Replication unspecified vulnerability (CPU Jan 2024)
• BZ - 2258779 - CVE-2024-20968 mysql: Server: Options unspecified vulnerability (CPU Jan 2024)
• BZ - 2258780 - CVE-2024-20969 mysql: Server: DDL unspecified vulnerability (CPU Jan 2024)
• BZ - 2258781 - CVE-2024-20970 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258782 - CVE-2024-20971 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258783 - CVE-2024-20972 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258784 - CVE-2024-20973 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258785 - CVE-2024-20974 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258787 - CVE-2024-20976 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258788 - CVE-2024-20977 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258789 - CVE-2024-20978 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258790 - CVE-2024-20981 mysql: Server: DDL unspecified vulnerability (CPU Jan 2024)
• BZ - 2258791 - CVE-2024-20982 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024)
• BZ - 2258792 - CVE-2024-20983 mysql: Server: DML unspecified vulnerability (CPU Jan 2024)
• BZ - 2258793 - CVE-2024-20984 mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024)
• BZ - 2258794 - CVE-2024-20985 mysql: Server: UDF unspecified vulnerability (CPU Jan 2024)

CVEs

• CVE-2022-4899
• CVE-2023-21911
• CVE-2023-21919
• CVE-2023-21920
• CVE-2023-21929
• CVE-2023-21933
• CVE-2023-21935
• CVE-2023-21940
• CVE-2023-21945
• CVE-2023-21946
• CVE-2023-21947
• CVE-2023-21953
• CVE-2023-21955
• CVE-2023-21962
• CVE-2023-21966
• CVE-2023-21972
• CVE-2023-21976
• CVE-2023-21977
• CVE-2023-21980
• CVE-2023-21982
• CVE-2023-22005
• CVE-2023-22007
• CVE-2023-22008
• CVE-2023-22032
• CVE-2023-22033
• CVE-2023-22038
• CVE-2023-22046
• CVE-2023-22048
• CVE-2023-22053
• CVE-2023-22054
• CVE-2023-22056
• CVE-2023-22057
• CVE-2023-22058
• CVE-2023-22059
• CVE-2023-22064
• CVE-2023-22065
• CVE-2023-22066
• CVE-2023-22068
• CVE-2023-22070
• CVE-2023-22078
• CVE-2023-22079
• CVE-2023-22084
• CVE-2023-22092
• CVE-2023-22097
• CVE-2023-22103
• CVE-2023-22104
• CVE-2023-22110
• CVE-2023-22111
• CVE-2023-22112
• CVE-2023-22113
• CVE-2023-22114
• CVE-2023-22115
• CVE-2024-20960
• CVE-2024-20961
• CVE-2024-20962
• CVE-2024-20963
• CVE-2024-20964
• CVE-2024-20965
• CVE-2024-20966
• CVE-2024-20967
• CVE-2024-20968
• CVE-2024-20969
• CVE-2024-20970
• CVE-2024-20971
• CVE-2024-20972
• CVE-2024-20973
• CVE-2024-20974
• CVE-2024-20976
• CVE-2024-20977
• CVE-2024-20978
• CVE-2024-20981
• CVE-2024-20982
• CVE-2024-20983
• CVE-2024-20984
• CVE-2024-20985
• CVE-2024-20993
• CVE-2024-21049
• CVE-2024-21050
• CVE-2024-21051
• CVE-2024-21052
• CVE-2024-21053
• CVE-2024-21055
• CVE-2024-21056
• CVE-2024-21057
• CVE-2024-21061
• CVE-2024-21137
• CVE-2024-21200

References

• https://access.redhat.com/security/updates/classification/#moderate