Date: Fri, 12 Sep 2014 10:20:23 +0400 From: Loganaden Velvindron <loganaden@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: MySQL: MyISAM temporary file issue On Thu, Sep 11, 2014 at 11:42 PM, Kurt Seifried <kseifried@...hat.com> wrote: > On 11/09/14 01:36 PM, Ritwik Ghoshal wrote: >> On 9/11/2014 1:28 AM, Sven Kieske wrote: >>> >>> >>> On 10/09/14 18:00, Salvatore Bonaccorso wrote: >>>> Hi >>>> >>>> The changes for MySQL 5.5.39 and 5.6.20 contain a reference to >>>> the following issue, which could be exploited by a local user to run >>>> arbitrary code in context of the mysqld server. >>> >>> While I'm investigating this: >>> Does someone happen to know in which version this vuln got introduced? >>> >> >> A complete list of all affected-supported MySQL releases will be >> published via Oracle's quarterly Critical Patch Update(CPU) advisory. >> More information about our CPU program is available at - >> http://www.oracle.com/technetwork/topics/security/alerts-086861.html >> >> >> Thanks, >> -Ritwik > > So you're saying you won't tell anyone until the middle of October? So > we have to wait just under 3 months from the release of MySQL 5.5.39 to > find out exactly what versions are affected by security flaws fixed in it? > > Are you serious? Indeed. Given MySQL's widespread usage, we can't wait that long. Maybe Oracle needs to review its policy for critical updates. > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ