CVE-2009-4484

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2009-4484
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2009-12-30 21:30:00 UTC
Updated2023-02-14 21:13:00 UTC
DescriptionMultiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Risk And Classification

Problem Types: CWE-787

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Canonical Ubuntu Linux 10.04 All All All
Operating System Canonical Ubuntu Linux 10.10 All All All
Operating System Canonical Ubuntu Linux 11.04 All All All
Operating System Canonical Ubuntu Linux 11.10 All All All
Operating System Canonical Ubuntu Linux 6.06 All All All
Operating System Canonical Ubuntu Linux 8.04 All All All
Operating System Canonical Ubuntu Linux 8.10 All All All
Operating System Canonical Ubuntu Linux 9.04 All All All
Operating System Canonical Ubuntu Linux 9.10 All All All
Operating System Canonical Ubuntu Linux 10.04 All All All
Operating System Canonical Ubuntu Linux 10.10 All All All
Operating System Canonical Ubuntu Linux 11.04 All All All
Operating System Canonical Ubuntu Linux 11.10 All All All
Operating System Canonical Ubuntu Linux 6.06 All All All
Operating System Canonical Ubuntu Linux 8.04 All All All
Operating System Canonical Ubuntu Linux 8.10 All All All
Operating System Canonical Ubuntu Linux 9.04 All All All
Operating System Canonical Ubuntu Linux 9.10 All All All
Operating System Debian Debian Linux 4.0 All All All
Operating System Debian Debian Linux 5.0 All All All
Operating System Debian Debian Linux 6.0 All All All
Operating System Debian Debian Linux 4.0 All All All
Operating System Debian Debian Linux 5.0 All All All
Operating System Debian Debian Linux 6.0 All All All
Application Mariadb Mariadb All All All All
Application Oracle Mysql All All All All
Application Oracle Mysql 5.0.0 milestone1 All All
Application Oracle Mysql 5.0.0 milestone2 All All
Application Oracle Mysql All All All All
Application Oracle Mysql 5.0.0 milestone1 All All
Application Oracle Mysql 5.0.0 milestone2 All All
Application Wolfssl Yassl All All All All
Application Wolfssl Yassl All All All All

References

ReferenceSourceLinkTags
RETIRED: yaSSL SSL Certificate Handling Remote Buffer Overflow Vulnerability BID www.securityfocus.com Third Party Advisory, VDB Entry
MySQL :: MySQL 5.1 Reference Manual :: C.1.1 Changes in MySQL 5.1.43 (Not yet released) CONFIRM dev.mysql.com Broken Link
Bug 555313 – CVE-2009-4484 mysql: yaSSL certificate parsing buffer overflow (vulndisco) CONFIRM bugzilla.redhat.com Issue Tracking, Third Party Advisory
Not Found CONFIRM bazaar.launchpad.net Broken Link
Ubuntu update for mysql-dfsg-5 and mysql-dfsg-5.1 - Advisories - Community SECUNIA secunia.com Third Party Advisory
yaSSL Certificate Processing Buffer Overflow Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com Third Party Advisory
IBM X-Force Exchange XF exchange.xforce.ibmcloud.com Third Party Advisory, VDB Entry
MySQL Unspecified Flaw Lets Remote Users Execute Arbitrary Code - SecurityTracker SECTRACK securitytracker.com Third Party Advisory, VDB Entry
yaSSL | News Security Library CONFIRM www.yassl.com Broken Link
MySQL :: MySQL 5.0 Reference Manual :: C.1.1 Changes in MySQL 5.0.90 (15 January 2010) CONFIRM dev.mysql.com Broken Link
NEOHAPSIS - Peace of Mind Through Integrity and Insight MLIST archives.neohapsis.com Broken Link
MySQL yaSSL Certificate Processing Buffer Overflow Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com SECUNIA secunia.com Third Party Advisory
USN-897-1: MySQL vulnerabilities | Ubuntu UBUNTU ubuntu.com Third Party Advisory
Debian -- Security Information -- DSA-1997-1 mysql-dfsg-5.0 DEBIAN www.debian.org Third Party Advisory
MySQL Bugs: Access denied CONFIRM bugs.mysql.com Exploit, Issue Tracking, Vendor Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH VUPEN www.vupen.com Third Party Advisory
yaSSL Certificate Processing Buffer Overflow Vulnerability - Secunia.com SECUNIA secunia.com Third Party Advisory
MySQL remote exploit demo MISC intevydis.com Broken Link
MySQL Lists: commits: bzr commit into mysql-5.0-bugteam branch (ramil:2838) Bug#50227 MLIST lists.mysql.com Patch, Vendor Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH VUPEN www.vupen.com Third Party Advisory
VulnDisco Pack Professional 8.11 « Intevydis blog MISC www.intevydis.com Broken Link
404 Not Found MISC intevydis.com Broken Link
Metasploit Penetration Testing Framework - Module Browser MISC www.metasploit.com Third Party Advisory
[dailydave] 20100126 New db bugs MLIST lists.immunitysec.com Broken Link
Debian update for mysql-dfsg-5.0 - Secunia.com SECUNIA secunia.com Third Party Advisory
MySQL with yaSSL SSL Certificate Handling Remote Stack Buffer Overflow Vulnerability BID www.securityfocus.com Third Party Advisory, VDB Entry
61956 OSVDB www.osvdb.org Broken Link
USN-1397-1: MySQL vulnerabilities | Ubuntu UBUNTU www.ubuntu.com Third Party Advisory
yaSSL | Release notes CONFIRM www.yassl.com Broken Link
yaSSL Buffer Overflow in Certificate Processing Lets Remote Users Execute Arbitrary Code - SecurityTracker SECTRACK securitytracker.com Third Party Advisory, VDB Entry
www.intevydis.com/blog MISC www.intevydis.com Broken Link
404 Not Found MISC intevydis.com Broken Link
Possible new MySQL 0day MISC isc.sans.org Third Party Advisory
Intevydis blog: MySQL yassl stack overflow MISC intevydis.blogspot.com Broken Link
CVS Info for project yassl CONFIRM yassl.cvs.sourceforge.net Third Party Advisory
MySQL 5.0.51a Unspecified Remote Code Execution Vulnerability BID www.securityfocus.com Third Party Advisory, VDB Entry
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

OrganizationPublishedContributorStatement
Red Hat2010-01-26Tomas HogerNot vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5. The packages use OpenSSL and not yaSSL.

Legacy QID Mappings

  • 900089 CBL-Mariner Linux Security Update for kernel 5.4.51
  • 902862 Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (3462)
  • 905912 Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (3462-1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report