Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 23 Sep 2016 14:35:41 +0200
From: Thomas Deutschmann <whissi@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVEs for vulnerabilities listed in MySQL 5.6.33 release note

Hi,

the MySQL 5.6.33 changelog [1] lists multiple fixed vulnerabilities but
I can't find CVEs for all of these problems. Am I missing something? If
not, could you please assign CVEs which would help tracking the status
of these problems in MariaDB and Percona-Server (see Percona's latest
release notes for their 5.6.32-based fork [2] which seems to address
vulnerabilities listed in 5.6.33):

> For mysqld_safe, the argument to --malloc-lib now must be one of the
>  directories /usr/lib, /usr/lib64, /usr/lib/i386-linux-gnu, or 
> /usr/lib/x86_64-linux-gnu. In addition, the --mysqld and 
> --mysqld-version options can be used only on the command line and not
> in an option file. (Bug #24464380)

This one seems to be related to CVE-2016-6662 but one could argue this
deserve its one CVE.


> It was possible to write log files ending with .ini or .cnf that 
> later could be parsed as option files. The general query log and
> slow query log can no longer be written to a file ending with .ini
> or .cnf. (Bug #24388753)

This is CVE-2016-6662.


> Privilege escalation was possible by exploiting the way REPAIR TABLE
> used temporary files. (Bug #24388746)

This one seems to be without a CVE (I guess this isn't CVE-2016-6663).


Thanks!



See also:
=========
[1] https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html

[2]
https://www.percona.com/blog/2016/09/21/percona-server-5-6-32-78-1-is-now-available/


-- 
Regards,
Thomas




[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ