On Wed, Sep 14, 2016 at 02:58:48PM +0200, Markus Koschany wrote: > > Maybe you should contact Dawid Golunski who published the advisory and > ask him to clarify the issue. As I understand it CVE-2016-6662 is fixed > in version 5.5.52 which is confirmed by the official changelog in my > opinion. [1] > The fixed issues described in there match what is written in the > security advisory from Dawid. We can only be sure when Oracle will > release the next CPU in October and the CVEs will be referenced but I > don't think we need to wait for that to happen. > I just read the entire LegalHackers advisory in detail. The "Vendor Response" section at the end of the advisory indicates that Oracle, Percona, and MariaDB were notified at the end of July. It further states that Percona and MariaDB addressed the issue and made the relevant commits in their public repositories, but that after 40 days (which would have lapsed just a few days ago) Oracle still had not responded. That is not to say that they couldn't have addressed the vulnerabilities without contacting David to tell him that they had done say. That said, the exploit is explained in a very detailed and methodical way in the advisory. Later on today I will work on replicating the exploit using the latest 5.5.52 packages from Ubuntu to confirm that this version in fact does fix the vulnerability. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature