Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Sep 2016 01:53:00 +0000
From: HW42 <hw42@...umj.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-6662 - MySQL Remote Root Code Execution /
 Privilege Escalation ( 0day )

From the advisory:
> on MySQL versions in branches 5.5 and 5.6.
> The datadir location for my.cnf has only been removed from MySQL starting
> from 5.7 branch however in many configurations it will still load config
> from:
> 
> /var/lib/mysql/.my.cnf

This is only the case if HOME is set to /var/lib/mysql, right? So for
example not in the Debian config?

> IX. VENDOR RESPONSE / SOLUTION
> -------------------------
[...]
> No official patches or mitigations are available at this time from the vendor.
> As temporary mitigations, users should ensure that no mysql config files are
> owned by mysql user, and create root-owned dummy my.cnf files that are not in
> use.

Would it not be a better mitigation to not read the conf files from the
data directory at all? Something like the attached patch.

View attachment "mysql.patch" of type "text/x-diff" (1062 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (826 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ