[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questions regarding MySQL update



On 2016-09-13 22:50:29, Roberto C. Sánchez wrote:
> [ Unknown signature status ]
> On Tue, Sep 13, 2016 at 12:21:21PM +0200, Markus Koschany wrote:
>> 
>> I suggest to package the latest Oracle release 5.5.52 that addresses the
>> vulnerability. I'm not sure if we should wait until more details about
>> CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the
>> security team for advice.
>> 
> I did some additional research on this and the oss-sec announcement [0]
> and the LegalHackers advisory both list versions <= 5.5.52 as being
> vulnerable.  I checked on packages.ubuntu.com and it looks like they
> have uploaded 5.5.52 with an annotation that it addresses CVE-2016-6662.
> However, I would like to confirm it by using the proof of concept in the
> LegalHackers advisory.  I think it makes more sense to confirm that the
> fix is in place before rushing to package and then incorrectly declaring
> that the vulnerability has been addressed.
>
> More specifically, the LegalHackers advisory, which has a release date
> of September 12, says "Official patches for the vulnerability are not
> available at this time for Oracle MySQL server."  Since version 5.5.52
> was released some weeks ago, that seems to indicate that perhaps it may
> still be vulnerable.
>
> Does anyone have any thoughts on the matter?

I updated the security tracker with some relevant information when this
came out:

https://security-tracker.debian.org/tracker/CVE-2016-6662

See in particular the OpenSUSE discussion here:

https://bugzilla.novell.com/show_bug.cgi?id=998309

It specifically mentions MariaDB 5.5.51, 10.0.27 and 10.1.17 as fixed:

https://mariadb.com/kb/en/mariadb/mariadb-10027-release-notes/
https://mariadb.com/kb/en/mariadb/security/

... and also MySQL 5.5.52 as fixed as well:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html

I am not sure why the advisory says that 5.5.52 is vulnerable. If you
look at his disclosure timeline, he mentions he disclosed this to Oracle
in July, so it's perfectly reasonable to think that they released 5.5.52
to fix that.

A.

-- 
Freedom of speech is a principal pillar of a free government; when
this support is taken away, the constitution of a free society is
dissolved, and tyranny is erected on its ruins.
                        - Benjamin Franklin, 1737


Reply to: