Date: Tue, 13 Sep 2016 01:53:00 +0000 From: HW42 <hw42@...umj.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day ) From the advisory: > on MySQL versions in branches 5.5 and 5.6. > The datadir location for my.cnf has only been removed from MySQL starting > from 5.7 branch however in many configurations it will still load config > from: > > /var/lib/mysql/.my.cnf This is only the case if HOME is set to /var/lib/mysql, right? So for example not in the Debian config? > IX. VENDOR RESPONSE / SOLUTION > ------------------------- [...] > No official patches or mitigations are available at this time from the vendor. > As temporary mitigations, users should ensure that no mysql config files are > owned by mysql user, and create root-owned dummy my.cnf files that are not in > use. Would it not be a better mitigation to not read the conf files from the data directory at all? Something like the attached patch. View attachment "mysql.patch" of type "text/x-diff" (1062 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (826 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ