Re: Questions regarding MySQL update
On Tue, Sep 13, 2016 at 12:21:21PM +0200, Markus Koschany wrote:
>
> Indeed we have always packaged new upstream releases of mysql for Wheezy
> because Oracle doesn't disclose the exact fix for a known CVE issue. We
> also can't assume that a MariaDB or Percona fix is identical for MySQL.
>
I had inferred as much regarding MariaDB and Percona, but it is good to
have confirmation that the fixes are not always identical.
> I have marked this update as "critical/ASAP" because the advisory is
> based on a Debian system and contains a detailed proof of concept. The
> issue still requires a MySQL user with sufficient rights or the
> exploitation of another (yet unknown) issue to inject malicious SQL code
> but such vulnerabilities are rather common for web applications, so it
> shouldn't be taken lightly.
>
*sigh*, how very true that SQL-injection vulnerabilities are common and
rather useful for mischief like this.
> I suggest to package the latest Oracle release 5.5.52 that addresses the
> vulnerability. I'm not sure if we should wait until more details about
> CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the
> security team for advice.
>
I can start working on this today.
> We should also consider to tighten the permissions for global mysql
> configuration files to root:mysql or even root:root to mitigate against
> similar issues in the future. But this shouldn't be done without
> consulting the maintainers first.
>
Certainly. I imagine that if an LTS update makes such a change but then
stable and testing packages do not also have a matching change that it
will only cause difficulty for administrators on upgrade.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Reply to: