On 13.09.2016 07:11, Roberto C. Sánchez wrote: > I was looking over the dla-needed.txt entries and saw that mysql-5.5 was > in need of a DLA, so I claimed it. However, before I begin preparing > the update, I thought I would ask a couple of questions to ensure that I > understand clearly what needs to be done. > > Looking at the PTS and the history of the package, it looks like new > upstream releases are uploaded as security updates. However, based on > the changelog entries [0], the uploads look very regular. That is, they > appear to correlate exactly to the quartery CPU releases from Oracle. > That said, the "Should be fixed ASAP" note in dla-needed.txt is what > prompted me to claim the package and start doing some research. > > That said, should I go ahead and start preparing an update or is it > necessary to wait for the quarterly CPU release from Oracle that gets > turned into the stable security update and then package based on that? > Is there any special coordination required for the stable security > update? Indeed we have always packaged new upstream releases of mysql for Wheezy because Oracle doesn't disclose the exact fix for a known CVE issue. We also can't assume that a MariaDB or Percona fix is identical for MySQL. I have marked this update as "critical/ASAP" because the advisory is based on a Debian system and contains a detailed proof of concept. The issue still requires a MySQL user with sufficient rights or the exploitation of another (yet unknown) issue to inject malicious SQL code but such vulnerabilities are rather common for web applications, so it shouldn't be taken lightly. I suggest to package the latest Oracle release 5.5.52 that addresses the vulnerability. I'm not sure if we should wait until more details about CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the security team for advice. We should also consider to tighten the permissions for global mysql configuration files to root:mysql or even root:root to mitigate against similar issues in the future. But this shouldn't be done without consulting the maintainers first. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature