On Tue, Sep 13, 2016 at 12:21:21PM +0200, Markus Koschany wrote: > > I suggest to package the latest Oracle release 5.5.52 that addresses the > vulnerability. I'm not sure if we should wait until more details about > CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the > security team for advice. > I did some additional research on this and the oss-sec announcement [0] and the LegalHackers advisory both list versions <= 5.5.52 as being vulnerable. I checked on packages.ubuntu.com and it looks like they have uploaded 5.5.52 with an annotation that it addresses CVE-2016-6662. However, I would like to confirm it by using the proof of concept in the LegalHackers advisory. I think it makes more sense to confirm that the fix is in place before rushing to package and then incorrectly declaring that the vulnerability has been addressed. More specifically, the LegalHackers advisory, which has a release date of September 12, says "Official patches for the vulnerability are not available at this time for Oracle MySQL server." Since version 5.5.52 was released some weeks ago, that seems to indicate that perhaps it may still be vulnerable. Does anyone have any thoughts on the matter? Regards, -Roberto [0] http://seclists.org/oss-sec/2016/q3/481 [1] http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature