On Tue, Sep 13, 2016 at 12:21:21PM +0200, Markus Koschany wrote: > > Indeed we have always packaged new upstream releases of mysql for Wheezy > because Oracle doesn't disclose the exact fix for a known CVE issue. We > also can't assume that a MariaDB or Percona fix is identical for MySQL. > I had inferred as much regarding MariaDB and Percona, but it is good to have confirmation that the fixes are not always identical.
> I have marked this update as "critical/ASAP" because the advisory is > based on a Debian system and contains a detailed proof of concept. The > issue still requires a MySQL user with sufficient rights or the > exploitation of another (yet unknown) issue to inject malicious SQL code > but such vulnerabilities are rather common for web applications, so it > shouldn't be taken lightly. > *sigh*, how very true that SQL-injection vulnerabilities are common and rather useful for mischief like this. > I suggest to package the latest Oracle release 5.5.52 that addresses the > vulnerability. I'm not sure if we should wait until more details about > CVE-2016-6663 are known. Maybe it wouldn't be too bad to ask the > security team for advice. > I can start working on this today. > We should also consider to tighten the permissions for global mysql > configuration files to root:mysql or even root:root to mitigate against > similar issues in the future. But this shouldn't be done without > consulting the maintainers first. > Certainly. I imagine that if an LTS update makes such a change but then stable and testing packages do not also have a matching change that it will only cause difficulty for administrators on upgrade. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
