mysql-5.5 CVE-2016-6662

To: team@security.debian.org, debian-lts@lists.debian.org
Subject: mysql-5.5 CVE-2016-6662
From: Brian May <bam@debian.org>
Date: Tue, 13 Sep 2016 08:34:34 +1000
Message-id: <[🔎] 87k2egoih1.fsf@prune.linuxpenguins.xyz>

Hello,

I had a look at CVE-2016-6662. Looks pretty simple to understand. Looks
like the ability for mysqld to create arbitrary log files - that may
overwrite/create config files with write permissions for the mysql user
- is a key factor.

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Anyone been able to find the upstream changes that address this?

While it might be possible to find a resolution anyway, it is probably
worth looking at the upstream solution first.

Out of time now, will continue looking later.

Regards
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: mysql-5.5 CVE-2016-6662
  - From: Antoine Beaupré <anarcat@debian.org>

Prev by Date: Re: wheezy update for libav
Next by Date: Re: mysql-5.5 CVE-2016-6662
Previous by thread: Re: autotrace CVE-2016-7392
Next by thread: Re: mysql-5.5 CVE-2016-6662
Index(es):
- Date
- Thread