[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questions regarding MySQL update

On Tue, Sep 13, 2016 at 12:21:21PM +0200, Markus Koschany wrote:
> I suggest to package the latest Oracle release 5.5.52 that addresses the
> vulnerability. I'm not sure if we should wait until more details about
> CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the
> security team for advice.
I did some additional research on this and the oss-sec announcement [0]
and the LegalHackers advisory both list versions <= 5.5.52 as being
vulnerable.  I checked on packages.ubuntu.com and it looks like they
have uploaded 5.5.52 with an annotation that it addresses CVE-2016-6662.
However, I would like to confirm it by using the proof of concept in the
LegalHackers advisory.  I think it makes more sense to confirm that the
fix is in place before rushing to package and then incorrectly declaring
that the vulnerability has been addressed.

More specifically, the LegalHackers advisory, which has a release date
of September 12, says "Official patches for the vulnerability are not
available at this time for Oracle MySQL server."  Since version 5.5.52
was released some weeks ago, that seems to indicate that perhaps it may
still be vulnerable.

Does anyone have any thoughts on the matter?



[0] http://seclists.org/oss-sec/2016/q3/481
[1] http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: