[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questions regarding MySQL update

On Tue, Sep 13, 2016 at 12:21:21PM +0200, Markus Koschany wrote:
> Indeed we have always packaged new upstream releases of mysql for Wheezy
> because Oracle doesn't disclose the exact fix for a known CVE issue. We
> also can't assume that a MariaDB or Percona fix is identical for MySQL.
I had inferred as much regarding MariaDB and Percona, but it is good to
have confirmation that the fixes are not always identical.

> I have marked this update as "critical/ASAP" because the advisory is
> based on a Debian system and contains a detailed proof of concept. The
> issue still requires a MySQL user with sufficient rights or the
> exploitation of another (yet unknown) issue to inject malicious SQL code
> but such vulnerabilities are rather common for web applications, so it
> shouldn't be taken lightly.
*sigh*, how very true that SQL-injection vulnerabilities are common and
rather useful for mischief like this.

> I suggest to package the latest Oracle release 5.5.52 that addresses the
> vulnerability. I'm not sure if we should wait until more details about
> CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the
> security team for advice.
I can start working on this today.

> We should also consider to tighten the permissions for global mysql
> configuration files to root:mysql or even root:root to mitigate against
> similar issues in the future. But this shouldn't be done without
> consulting the maintainers first.
Certainly.  I imagine that if an LTS update makes such a change but then
stable and testing packages do not also have a matching change that it
will only cause difficulty for administrators on upgrade.



Roberto C. Sánchez

Reply to: