[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questions regarding MySQL update

On Wed, Sep 14, 2016 at 02:58:48PM +0200, Markus Koschany wrote:
> Maybe you should contact Dawid Golunski who published the advisory and
> ask him to clarify the issue. As I understand it CVE-2016-6662 is fixed
> in version 5.5.52 which is confirmed by the official changelog in my
> opinion. [1]
> The fixed issues described in there match what is written in the
> security advisory from Dawid. We can only be sure when Oracle will
> release the next CPU in October and the CVEs will be referenced but I
> don't think we need to wait for that to happen.
I just read the entire LegalHackers advisory in detail.  The "Vendor
Response" section at the end of the advisory indicates that Oracle,
Percona, and MariaDB were notified at the end of July.  It further
states that Percona and MariaDB addressed the issue and made the
relevant commits in their public repositories, but that after 40 days
(which would have lapsed just a few days ago) Oracle still had not

That is not to say that they couldn't have addressed the vulnerabilities
without contacting David to tell him that they had done say.  That said,
the exploit is explained in a very detailed and methodical way in the
advisory.  Later on today I will work on replicating the exploit using
the latest 5.5.52 packages from Ubuntu to confirm that this version in
fact does fix the vulnerability.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: