Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update

2016-09-18 Thread Hideki Yamane 
Hi,

On Fri, 16 Sep 2016 10:27:56 +0200
Salvatore Bonaccorso  wrote:
> > - Is it intentional to not provide build log for jessie-security?
> >  or can we check build log for security updates?
> 
> Builds can be done in advance, for embargoed issues. Thus logs should
> not be public. But yes, that could defintively be an improvement that
> logs can be published *after* a DSA ist released. If you can help
> wanna-build team on that matther I'm sure help would be appreciated.
> Nobody worked on that part so far.
> 
> > - Why there's no info in tracker about 5.5.52-0+deb8u1 upload?
> 
> The tracker afaict just rcords the upload to ftp-master. Thus, there
> will be a news entry only when the package is accepted into
> proposed-updates (unless I'm wrong on that).

 Okay, now it's clear for me, thanks!

 And NOKUBI Takatsugu says it maybe not sufficient to fix non-x86 archs.
 for this issue. see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837984
 I'm not sure whether it's true or not, but can you give a look into it,
 please?


-- 
Regards,

 Hideki Yamane henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update

2016-09-16 Thread Salvatore Bonaccorso 
Hi,

On Fri, Sep 16, 2016 at 10:27:56AM +0200, Salvatore Bonaccorso wrote:
> See above, yes I noticed but nevertheless released the DSA for the
> other suites.

Architectures, ...

I filled #837994 in case of interest. But it might be retested as well
on a porterbox.

Regards,
Salvatore

Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update

2016-09-16 Thread Moritz Muehlenhoff 
On Fri, Sep 16, 2016 at 10:27:56AM +0200, Salvatore Bonaccorso wrote:
> > - Why there's no info in tracker about 5.5.52-0+deb8u1 upload?
> 
> The tracker afaict just rcords the upload to ftp-master. Thus, there
> will be a news entry only when the package is accepted into
> proposed-updates (unless I'm wrong on that).

That's correct.

Cheers,
Moritz

Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update

2016-09-16 Thread Hideki Yamane 
Hi,

Just some question.

https://packages.debian.org/jessie/mysql-server-core-5.5 says
armhf 5.5.50-0+deb8u1 it's only arch that have old version.

mysql-5.5 in armhf, there is no jessie-security log.
https://buildd.debian.org/status/logs.php?pkg=mysql-5.5=armhf

https://tracker.debian.org/pkg/mysql-5.5 doesn't contain 5.5.52-0+deb8u1
upload information in news item.

- Do you notice no update for mysql-5.5 armhf?
 Is there any plan to rebuild it?
- Is it intentional to not provide build log for jessie-security?
 or can we check build log for security updates?
- Why there's no info in tracker about 5.5.52-0+deb8u1 upload?

Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update

2016-09-16 Thread Salvatore Bonaccorso 
Hi!

On Fri, Sep 16, 2016 at 05:13:57PM +0900, Hideki Yamane wrote:
> Hi,
> 
> Just some question.
> 
> https://packages.debian.org/jessie/mysql-server-core-5.5 says
> armhf 5.5.50-0+deb8u1 it's only arch that have old version.
> 
> mysql-5.5 in armhf, there is no jessie-security log.
> https://buildd.debian.org/status/logs.php?pkg=mysql-5.5=armhf

That's right. mysql-5.5 5.5.52-0+deb8u1 failed various attempts to
build on armhf yet.

> https://tracker.debian.org/pkg/mysql-5.5 doesn't contain 5.5.52-0+deb8u1
> upload information in news item.
> 
> - Do you notice no update for mysql-5.5 armhf?

See above, yes I noticed but nevertheless released the DSA for the
other suites.

>  Is there any plan to rebuild it?

I tried to give back, but witout success. So the build failure needs
to be investigated specific on armhf.

> - Is it intentional to not provide build log for jessie-security?
>  or can we check build log for security updates?

Builds can be done in advance, for embargoed issues. Thus logs should
not be public. But yes, that could defintively be an improvement that
logs can be published *after* a DSA ist released. If you can help
wanna-build team on that matther I'm sure help would be appreciated.
Nobody worked on that part so far.

> - Why there's no info in tracker about 5.5.52-0+deb8u1 upload?

The tracker afaict just rcords the upload to ftp-master. Thus, there
will be a news entry only when the package is accepted into
proposed-updates (unless I'm wrong on that).

Hope that helps,

Regards,
Salvatore

Re: [SECURITY] [DSA 3666-1] mysql-5.5 security update

2016-09-14 Thread Marc K 
robert.st...@datagroup.de

On Wed, Sep 14, 2016, 17:14 Salvatore Bonaccorso  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian Security Advisory DSA-3666-1   secur...@debian.org
> https://www.debian.org/security/ Salvatore Bonaccorso
> September 14, 2016https://www.debian.org/security/faq
> - -
>
> Package: mysql-5.5
> CVE ID : CVE-2016-6662
>
> Dawid Golunski discovered that the mysqld_safe wrapper provided by the
> MySQL database server insufficiently restricted the load path for custom
> malloc implementations, which could result in privilege escalation.
>
> The vulnerability was addressed by upgrading MySQL to the new upstream
> version 5.5.52, which includes additional changes, such as performance
> improvements, bug fixes, new features, and possibly incompatible
> changes. Please see the MySQL 5.5 Release Notes for further details:
>
>  https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html
>  https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
>
> For the stable distribution (jessie), this problem has been fixed in
> version 5.5.52-0+deb8u1.
>
> We recommend that you upgrade your mysql-5.5 packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-annou...@lists.debian.org
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJX2WdfAAoJEAVMuPMTQ89EHJ0P/2GguTleQy7sFNqsBZHsANTz
> MYYazcwSHQQbMiAVKGkzO5sT+UmUcgA3YavP3ZUrB1PEg+03d6sgvpEV1vq5bSmX
> 7Br+6qgj4Sz1LCPBf/iS/RJ4WpSRkVFNNWqyvZOyj0HvvDpASscO6XRvmJdVcSGn
> 6kl9qv4HxHY0LXAi4hxkD/h4aMjRwt7kG3PK32QAPqhn2bXXT3pdRZF1We8wFjS2
> Tkxky3f8Ns4Ect2dbgNXYrlpcGODD9lYzESH8e4Cdrvsyyr/J39M8XH/va8uJfgS
> Db8VA2/hiy22jTMI0r2kqhgFcv5L6HK/FO9So5ON6zSAtLj4risMoXbclpMLe4qd
> saF+XQVAgaSvPZ6K0KuPJihmKj3XshzBDYO9aKsD1yiUfpu+IfRPUqyO1g7si4kD
> FbcIN2KnRnNROFsronsOWnyCQ8ffrKJokzRkzcpjU4qkFLK3rvpLkUvwm2+KTlCC
> W6ZtW9tpADr8hK7fcGKBPqj4aQTV2101Vuy08LSLqMMXq+kJF3VzsRlWctqodEpX
> /eSnwSeBvcigSZXWTcrwMt1vb+ixVSYkybFokvjjK5WEdH6LuO4YaBv6VuJewH2E
> FWxKBTHos5Uff2DNQz63B0As7ul6VjoWCcQhaY2e84WzIaVdJAcog5Rzf3IIBc+M
> ftF3slzWy/NPPG2SZURD
> =ihba
> -END PGP SIGNATURE-
>
>