[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questions regarding MySQL update

On 13.09.2016 07:11, Roberto C. Sánchez wrote:
> I was looking over the dla-needed.txt entries and saw that mysql-5.5 was
> in need of a DLA, so I claimed it.  However, before I begin preparing
> the update, I thought I would ask a couple of questions to ensure that I
> understand clearly what needs to be done.
> Looking at the PTS and the history of the package, it looks like new
> upstream releases are uploaded as security updates.  However, based on
> the changelog entries [0], the uploads look very regular.  That is, they
> appear to correlate exactly to the quartery CPU releases from Oracle.
> That said, the "Should be fixed ASAP" note in dla-needed.txt is what
> prompted me to claim the package and start doing some research.
> That said, should I go ahead and start preparing an update or is it
> necessary to wait for the quarterly CPU release from Oracle that gets
> turned into the stable security update and then package based on that?
> Is there any special coordination required for the stable security
> update?

Indeed we have always packaged new upstream releases of mysql for Wheezy
because Oracle doesn't disclose the exact fix for a known CVE issue. We
also can't assume that a MariaDB or Percona fix is identical for MySQL.

I have marked this update as "critical/ASAP" because the advisory is
based on a Debian system and contains a detailed proof of concept. The
issue still requires a MySQL user with sufficient rights or the
exploitation of another (yet unknown) issue to inject malicious SQL code
but such vulnerabilities are rather common for web applications, so it
shouldn't be taken lightly.

I suggest to package the latest Oracle release 5.5.52 that addresses the
vulnerability. I'm not sure if we should wait until more details about
CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the
security team for advice.

We should also consider to tighten the permissions for global mysql
configuration files to root:mysql or even root:root to mitigate against
similar issues in the future. But this shouldn't be done without
consulting the maintainers first.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: