Re: BACKRONYM and CVE-2017-3305

Hi again

Now I have read the information in CVE-2017-3305 better. Now I understand that it is just the mysql-5.7 version that is definitely not affected.

However it is still not clear to me whether the 5.5 version in jessie and wheezy is vulnerable to:

- The BACKRONYM vulnerability?

- CVE-2017-3305?

I'm trying to understand this sentence:

"... Later, Oracle tried to address the corresonding issue as well in 5.5 and 5.6 series..."

In what 5.5.x version was that addressed?

Best regards

// Ola

On 22 March 2017 at 20:32, Ola Lundqvist <ola@inguza.com> wrote:

Hi LTS team and Security team

I have started to look into CVE-2017-3305. As I understand both stable
and oldstable are unaffected by this vulnerability. The reason is that this is
an amendment of the correction for the BACKRONYM vulnerability.

What I do not understand however is whether mysql is vulnerable to the
backronym vulnerability or not.

I can not find any CVE for the BACKRONYM vulnerability. Or rather I can find it but that one is only for mariadb and percona https://security-tracker.debian.org/tracker/CVE-2015-3152.

Do any of you know whether the BACKRONYM has been fixed in mysql-5.5?
I thought I should ask before actually trying to reproduce it.

Best regards

// Ola

--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------

--- Inguza Technology AB --- MSc in Information Technology ----

/ ola@inguza.com Folkebogatan 26 \

| opal@debian.org 654 68 KARLSTAD |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /

---------------------------------------------------------------