Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update
Hi, On Fri, 16 Sep 2016 10:27:56 +0200 Salvatore Bonaccorsowrote: > > - Is it intentional to not provide build log for jessie-security? > > or can we check build log for security updates? > > Builds can be done in advance, for embargoed issues. Thus logs should > not be public. But yes, that could defintively be an improvement that > logs can be published *after* a DSA ist released. If you can help > wanna-build team on that matther I'm sure help would be appreciated. > Nobody worked on that part so far. > > > - Why there's no info in tracker about 5.5.52-0+deb8u1 upload? > > The tracker afaict just rcords the upload to ftp-master. Thus, there > will be a news entry only when the package is accepted into > proposed-updates (unless I'm wrong on that). Okay, now it's clear for me, thanks! And NOKUBI Takatsugu says it maybe not sufficient to fix non-x86 archs. for this issue. see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837984 I'm not sure whether it's true or not, but can you give a look into it, please? -- Regards, Hideki Yamane henrich @ debian.or.jp/org http://wiki.debian.org/HidekiYamane
Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update
Hi, On Fri, Sep 16, 2016 at 10:27:56AM +0200, Salvatore Bonaccorso wrote: > See above, yes I noticed but nevertheless released the DSA for the > other suites. Architectures, ... I filled #837994 in case of interest. But it might be retested as well on a porterbox. Regards, Salvatore
Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update
On Fri, Sep 16, 2016 at 10:27:56AM +0200, Salvatore Bonaccorso wrote: > > - Why there's no info in tracker about 5.5.52-0+deb8u1 upload? > > The tracker afaict just rcords the upload to ftp-master. Thus, there > will be a news entry only when the package is accepted into > proposed-updates (unless I'm wrong on that). That's correct. Cheers, Moritz
Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update
Hi, Just some question. https://packages.debian.org/jessie/mysql-server-core-5.5 says armhf 5.5.50-0+deb8u1 it's only arch that have old version. mysql-5.5 in armhf, there is no jessie-security log. https://buildd.debian.org/status/logs.php?pkg=mysql-5.5=armhf https://tracker.debian.org/pkg/mysql-5.5 doesn't contain 5.5.52-0+deb8u1 upload information in news item. - Do you notice no update for mysql-5.5 armhf? Is there any plan to rebuild it? - Is it intentional to not provide build log for jessie-security? or can we check build log for security updates? - Why there's no info in tracker about 5.5.52-0+deb8u1 upload?
Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update
Hi! On Fri, Sep 16, 2016 at 05:13:57PM +0900, Hideki Yamane wrote: > Hi, > > Just some question. > > https://packages.debian.org/jessie/mysql-server-core-5.5 says > armhf 5.5.50-0+deb8u1 it's only arch that have old version. > > mysql-5.5 in armhf, there is no jessie-security log. > https://buildd.debian.org/status/logs.php?pkg=mysql-5.5=armhf That's right. mysql-5.5 5.5.52-0+deb8u1 failed various attempts to build on armhf yet. > https://tracker.debian.org/pkg/mysql-5.5 doesn't contain 5.5.52-0+deb8u1 > upload information in news item. > > - Do you notice no update for mysql-5.5 armhf? See above, yes I noticed but nevertheless released the DSA for the other suites. > Is there any plan to rebuild it? I tried to give back, but witout success. So the build failure needs to be investigated specific on armhf. > - Is it intentional to not provide build log for jessie-security? > or can we check build log for security updates? Builds can be done in advance, for embargoed issues. Thus logs should not be public. But yes, that could defintively be an improvement that logs can be published *after* a DSA ist released. If you can help wanna-build team on that matther I'm sure help would be appreciated. Nobody worked on that part so far. > - Why there's no info in tracker about 5.5.52-0+deb8u1 upload? The tracker afaict just rcords the upload to ftp-master. Thus, there will be a news entry only when the package is accepted into proposed-updates (unless I'm wrong on that). Hope that helps, Regards, Salvatore
Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update
robert.st...@datagroup.de On Wed, Sep 14, 2016, 17:14 Salvatore Bonaccorsowrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > - - > Debian Security Advisory DSA-3666-1 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > September 14, 2016https://www.debian.org/security/faq > - - > > Package: mysql-5.5 > CVE ID : CVE-2016-6662 > > Dawid Golunski discovered that the mysqld_safe wrapper provided by the > MySQL database server insufficiently restricted the load path for custom > malloc implementations, which could result in privilege escalation. > > The vulnerability was addressed by upgrading MySQL to the new upstream > version 5.5.52, which includes additional changes, such as performance > improvements, bug fixes, new features, and possibly incompatible > changes. Please see the MySQL 5.5 Release Notes for further details: > > https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html > https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html > > For the stable distribution (jessie), this problem has been fixed in > version 5.5.52-0+deb8u1. > > We recommend that you upgrade your mysql-5.5 packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJX2WdfAAoJEAVMuPMTQ89EHJ0P/2GguTleQy7sFNqsBZHsANTz > MYYazcwSHQQbMiAVKGkzO5sT+UmUcgA3YavP3ZUrB1PEg+03d6sgvpEV1vq5bSmX > 7Br+6qgj4Sz1LCPBf/iS/RJ4WpSRkVFNNWqyvZOyj0HvvDpASscO6XRvmJdVcSGn > 6kl9qv4HxHY0LXAi4hxkD/h4aMjRwt7kG3PK32QAPqhn2bXXT3pdRZF1We8wFjS2 > Tkxky3f8Ns4Ect2dbgNXYrlpcGODD9lYzESH8e4Cdrvsyyr/J39M8XH/va8uJfgS > Db8VA2/hiy22jTMI0r2kqhgFcv5L6HK/FO9So5ON6zSAtLj4risMoXbclpMLe4qd > saF+XQVAgaSvPZ6K0KuPJihmKj3XshzBDYO9aKsD1yiUfpu+IfRPUqyO1g7si4kD > FbcIN2KnRnNROFsronsOWnyCQ8ffrKJokzRkzcpjU4qkFLK3rvpLkUvwm2+KTlCC > W6ZtW9tpADr8hK7fcGKBPqj4aQTV2101Vuy08LSLqMMXq+kJF3VzsRlWctqodEpX > /eSnwSeBvcigSZXWTcrwMt1vb+ixVSYkybFokvjjK5WEdH6LuO4YaBv6VuJewH2E > FWxKBTHos5Uff2DNQz63B0As7ul6VjoWCcQhaY2e84WzIaVdJAcog5Rzf3IIBc+M > ftF3slzWy/NPPG2SZURD > =ihba > -END PGP SIGNATURE- > >