[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: BACKRONYM and CVE-2017-3305

Hi Salvatore

Thank you. Now it is clear. I'll add this to dla-needed.txt then with a note that it will be fixed by Oracle in the next Oracle CPU.

Best regards

// Ola

On 22 March 2017 at 20:54, Salvatore Bonaccorso <carnil@debian.org> wrote:

On Wed, Mar 22, 2017 at 08:40:16PM +0100, Ola Lundqvist wrote:
> Hi again
> Now I have read the information in CVE-2017-3305 better. Now I understand
> that it is just the mysql-5.7 version that is definitely not affected.
> However it is still not clear to me whether the 5.5 version in jessie and
> wheezy is vulnerable to:
> - The BACKRONYM vulnerability?
> - CVE-2017-3305?
> I'm trying to understand this sentence:
> "... Later, Oracle tried to address the corresonding issue as well in 5.5
> and 5.6 series..."
> In what 5.5.x version was that addressed?

I have ammended the note to clarify which version tried to correct the
corresponding issue (*but* do *not* track CVE-2015-3152 for Oracle
MySQL, the CVE was specific to mariadb and percona).

The notes should hopefully be clear now. The CVE-2017-3305 will be
fixed by Oracle in the next Oracle CPU as promised by upstream.


 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: