Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Sep 2014 10:20:23 +0400
From: Loganaden Velvindron <loganaden@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: MySQL: MyISAM temporary file issue

On Thu, Sep 11, 2014 at 11:42 PM, Kurt Seifried <kseifried@...hat.com> wrote:
> On 11/09/14 01:36 PM, Ritwik Ghoshal wrote:
>> On 9/11/2014 1:28 AM, Sven Kieske wrote:
>>>
>>>
>>> On 10/09/14 18:00, Salvatore Bonaccorso wrote:
>>>> Hi
>>>>
>>>> The changes for MySQL 5.5.39[1] and 5.6.20[2] contain a reference to
>>>> the following issue, which could be exploited by a local user to run
>>>> arbitrary code in context of the mysqld server.
>>>
>>> While I'm investigating this:
>>> Does someone happen to know in which version this vuln got introduced?
>>>
>>
>> A complete list of all affected-supported MySQL releases will be
>> published via Oracle's quarterly Critical Patch Update(CPU) advisory.
>> More information about our CPU program is available at -
>> http://www.oracle.com/technetwork/topics/security/alerts-086861.html
>>
>>
>> Thanks,
>> -Ritwik
>
> So you're saying you won't tell anyone until the middle of October? So
> we have to wait just under 3 months from the release of MySQL 5.5.39 to
> find out exactly what versions are affected by security flaws fixed in it?
>
> Are you serious?

Indeed. Given MySQL's widespread usage, we can't wait that long. Maybe
Oracle needs to review its policy for critical updates.


>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ