Security fixes from the October 2017 CPU

Debian Bug report logs - #878402
Security fixes from the October 2017 CPU

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>

To: submit@bugs.debian.org

Subject: Security fixes from the October 2017 CPU

Date: Fri, 13 Oct 2017 12:34:26 +0200

Source: mysql-5.5
Version: 5.5.57-0+deb8u1
Severity: grave
Tags: security upstream fixed-upstream

The Oracle Critical Patch Update for October 2017 will be released on  
Tuesday, October 17. According to the pre-release announcement [1], it
will contain information about CVEs fixed in MySQL 5.5.58.

The CVE numbers will be available when the CPU is released.

Regards,

Norvald H. Ryeng

[1] http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Message #12 received at 878402@bugs.debian.org (full text, mbox, reply):

From: Lars Tangvald <lars.tangvald@oracle.com>

To: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>, 878402@bugs.debian.org

Subject: Re: [debian-mysql] Bug#878402: Security fixes from the October 2017 CPU

Date: Wed, 18 Oct 2017 07:07:03 +0200

CVE List for 5.5:

CVE-2017-10268
CVE-2017-10378
CVE-2017-10379
CVE-2017-10384

--
Lars

On 13. okt. 2017 12:34, Norvald H. Ryeng wrote:
> Source: mysql-5.5
> Version: 5.5.57-0+deb8u1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> The Oracle Critical Patch Update for October 2017 will be released on
> Tuesday, October 17. According to the pre-release announcement [1], it
> will contain information about CVEs fixed in MySQL 5.5.58.
>
> The CVE numbers will be available when the CPU is released.
>
> Regards,
>
> Norvald H. Ryeng
>
> [1] http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.alioth.debian.org_cgi-2Dbin_mailman_listinfo_pkg-2Dmysql-2Dmaint&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg&m=dEyRpHvFwIr1RTEceqC6iy_yrzTaCF3pVSkZ3JFfOe4&s=0PVa9j2CKG1CAypoPA9B0-RLcMLbS5ifPg3jULC2EMw&e=

Message #17 received at 878402@bugs.debian.org (full text, mbox, reply):

From: Lars Tangvald <lars.tangvald@oracle.com>

To: pkg-mysql-maint@lists.alioth.debian.org

Cc: debian-lts@lists.debian.org, security@debian.org, 878402@bugs.debian.org

Subject: Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU

Date: Wed, 18 Oct 2017 15:51:26 +0200

[Message part 1 (text/plain, inline)]

Hi,

5.5.58 packages for Debian 7 and 8 are built, and pass the test suite.
Attached are debdiff files for Wheezy and Jessie (source is also pushed 
to https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git)
As before, we unfortunately don't have a DD in our team that can sponsor 
the upload, so we need assistance with that.

I'm not sure if the security team still handles Debian8, or if the lts 
team does now?

--
Lars

On 18. okt. 2017 07:07, Lars Tangvald wrote:
> CVE List for 5.5:
>
> CVE-2017-10268
> CVE-2017-10378
> CVE-2017-10379
> CVE-2017-10384
>
> -- 
> Lars
>
> On 13. okt. 2017 12:34, Norvald H. Ryeng wrote:
>> Source: mysql-5.5
>> Version: 5.5.57-0+deb8u1
>> Severity: grave
>> Tags: security upstream fixed-upstream
>>
>> The Oracle Critical Patch Update for October 2017 will be released on
>> Tuesday, October 17. According to the pre-release announcement [1], it
>> will contain information about CVEs fixed in MySQL 5.5.58.
>>
>> The CVE numbers will be available when the CPU is released.
>>
>> Regards,
>>
>> Norvald H. Ryeng
>>
>> [1] 
>> http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
>>
>> _______________________________________________
>> pkg-mysql-maint mailing list
>> pkg-mysql-maint@lists.alioth.debian.org
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.alioth.debian.org_cgi-2Dbin_mailman_listinfo_pkg-2Dmysql-2Dmaint&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg&m=dEyRpHvFwIr1RTEceqC6iy_yrzTaCF3pVSkZ3JFfOe4&s=0PVa9j2CKG1CAypoPA9B0-RLcMLbS5ifPg3jULC2EMw&e= 
>>
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.alioth.debian.org_cgi-2Dbin_mailman_listinfo_pkg-2Dmysql-2Dmaint&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg&m=c99-Bm5n-zu86r80igRj7TWXp-vXfUXofGXqkJ2SCeI&s=hgxadh4mK_3tB-NifSwdsO2DofQ_meWLdPG93b3UUJs&e= 

[jessiedebdiff.txt.gz (application/gzip, attachment)]

[jessiedebiandiff.txt (text/plain, attachment)]

[wheezydebdiff.txt.gz (application/gzip, attachment)]

[wheezydebiandiff.txt (text/plain, attachment)]

Message #22 received at 878402@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Lars Tangvald <lars.tangvald@oracle.com>

Cc: pkg-mysql-maint@lists.alioth.debian.org, debian-lts@lists.debian.org, security@debian.org, 878402@bugs.debian.org

Subject: Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU

Date: Wed, 18 Oct 2017 20:46:02 +0200

Hi lars,

On Wed, Oct 18, 2017 at 03:51:26PM +0200, Lars Tangvald wrote:
> Hi,
> 
> 5.5.58 packages for Debian 7 and 8 are built, and pass the test suite.
> Attached are debdiff files for Wheezy and Jessie (source is also pushed to
> https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git)
> As before, we unfortunately don't have a DD in our team that can sponsor the
> upload, so we need assistance with that.

I will look into it for jessie-security then.

> I'm not sure if the security team still handles Debian8, or if the lts team
> does now?

Yes, Debian 8 Jessie is still yet handled by the security team.

Regards,
Salvatore

Message #27 received at 878402@bugs.debian.org (full text, mbox, reply):

From: Emilio Pozuelo Monfort <pochu@debian.org>

To: Lars Tangvald <lars.tangvald@oracle.com>, pkg-mysql-maint@lists.alioth.debian.org, debian-lts@lists.debian.org, security@debian.org, 878402@bugs.debian.org

Subject: Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU

Date: Thu, 19 Oct 2017 10:09:04 +0200

On 18/10/17 20:46, Salvatore Bonaccorso wrote:
> Hi lars,
> 
> On Wed, Oct 18, 2017 at 03:51:26PM +0200, Lars Tangvald wrote:
>> Hi,
>>
>> 5.5.58 packages for Debian 7 and 8 are built, and pass the test suite.
>> Attached are debdiff files for Wheezy and Jessie (source is also pushed to
>> https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git)
>> As before, we unfortunately don't have a DD in our team that can sponsor the
>> upload, so we need assistance with that.
> 
> I will look into it for jessie-security then.
> 
>> I'm not sure if the security team still handles Debian8, or if the lts team
>> does now?
> 
> Yes, Debian 8 Jessie is still yet handled by the security team.

And I will take of Debian 7 (wheezy). Thanks for preparing the update!

Cheers,
Emilio

Message #32 received at 878402@bugs.debian.org (full text, mbox, reply):

From: Lars Tangvald <lars.tangvald@oracle.com>

To: Emilio Pozuelo Monfort <pochu@debian.org>, pkg-mysql-maint@lists.alioth.debian.org, debian-lts@lists.debian.org, security@debian.org, 878402@bugs.debian.org

Subject: Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU

Date: Thu, 19 Oct 2017 10:23:15 +0200

On 10/19/2017 10:09 AM, Emilio Pozuelo Monfort wrote:
> On 18/10/17 20:46, Salvatore Bonaccorso wrote:
>> Hi lars,
>>
>> On Wed, Oct 18, 2017 at 03:51:26PM +0200, Lars Tangvald wrote:
>>> Hi,
>>>
>>> 5.5.58 packages for Debian 7 and 8 are built, and pass the test suite.
>>> Attached are debdiff files for Wheezy and Jessie (source is also pushed to
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__anonscm.debian.org_cgit_pkg-2Dmysql_mysql-2D5.5.git&d=DwICaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg&m=00T7TUZCwXkig-wYCf-35nC5VNSQmjNOsNq0TOBoXBs&s=MPjTux6yCV6-5Si_VECXoTwgZxgsyNIHfNSpH1nq2ws&e= )
>>> As before, we unfortunately don't have a DD in our team that can sponsor the
>>> upload, so we need assistance with that.
>> I will look into it for jessie-security then.
>>
>>> I'm not sure if the security team still handles Debian8, or if the lts team
>>> does now?
>> Yes, Debian 8 Jessie is still yet handled by the security team.
> And I will take of Debian 7 (wheezy). Thanks for preparing the update!
>
> Cheers,
> Emilio
Thanks for the help to both of you! :)

--
Lars

Message #37 received at 878402@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Lars Tangvald <lars.tangvald@oracle.com>

Cc: Emilio Pozuelo Monfort <pochu@debian.org>, pkg-mysql-maint@lists.alioth.debian.org, debian-lts@lists.debian.org, security@debian.org, 878402@bugs.debian.org

Subject: Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU

Date: Thu, 19 Oct 2017 19:25:36 +0200

Hi Lars,

On Thu, Oct 19, 2017 at 10:23:15AM +0200, Lars Tangvald wrote:
> 
> 
> On 10/19/2017 10:09 AM, Emilio Pozuelo Monfort wrote:
> > On 18/10/17 20:46, Salvatore Bonaccorso wrote:
> > > Hi lars,
> > > 
> > > On Wed, Oct 18, 2017 at 03:51:26PM +0200, Lars Tangvald wrote:
> > > > Hi,
> > > > 
> > > > 5.5.58 packages for Debian 7 and 8 are built, and pass the test suite.
> > > > Attached are debdiff files for Wheezy and Jessie (source is also pushed to
> > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__anonscm.debian.org_cgit_pkg-2Dmysql_mysql-2D5.5.git&d=DwICaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg&m=00T7TUZCwXkig-wYCf-35nC5VNSQmjNOsNq0TOBoXBs&s=MPjTux6yCV6-5Si_VECXoTwgZxgsyNIHfNSpH1nq2ws&e= )
> > > > As before, we unfortunately don't have a DD in our team that can sponsor the
> > > > upload, so we need assistance with that.
> > > I will look into it for jessie-security then.
> > > 
> > > > I'm not sure if the security team still handles Debian8, or if the lts team
> > > > does now?
> > > Yes, Debian 8 Jessie is still yet handled by the security team.
> > And I will take of Debian 7 (wheezy). Thanks for preparing the update!
> > 
> > Cheers,
> > Emilio
> Thanks for the help to both of you! :)

FTR, I just released DSA-4002-1 for mysql-5.5 in jessie-security.

Thanks for preparing the import.

Regards,
Salvatore

Message #42 received at 878402-close@bugs.debian.org (full text, mbox, reply):

From: Lars Tangvald <lars.tangvald@oracle.com>

To: 878402-close@bugs.debian.org

Subject: Bug#878402: fixed in mysql-5.5 5.5.58-0+deb8u1

Date: Sat, 18 Nov 2017 22:21:00 +0000

Source: mysql-5.5
Source-Version: 5.5.58-0+deb8u1

We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878402@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lars Tangvald <lars.tangvald@oracle.com> (supplier of updated mysql-5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Oct 2017 10:20:55 +0200
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite mysql-testsuite-5.5 mysql-source-5.5
Architecture: all source
Version: 5.5.58-0+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Lars Tangvald <lars.tangvald@oracle.com>
Closes: 878402
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.5 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.5 - MySQL database server binaries and system database setup
 mysql-server-core-5.5 - MySQL database server binaries
 mysql-source-5.5 - MySQL source
 mysql-testsuite - MySQL testsuite
 mysql-testsuite-5.5 - MySQL testsuite
Changes:
 mysql-5.5 (5.5.58-0+deb8u1) jessie-security; urgency=high
 .
   * Imported upstream version 5.5.58 to fix security issues:
     - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
     - CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384
     (Closes: #878402)
Checksums-Sha1: 
 8b0d577702148b3e6c298f8419382c20ff1dd55a 3262 mysql-5.5_5.5.58-0+deb8u1.dsc
 37be5e62011113e4c5c1b3095d714cc9800b11df 21045852 mysql-5.5_5.5.58.orig.tar.gz
 6e5c8b23b0ceadd2b8ddc4db55d3bf63bb462a06 232788 mysql-5.5_5.5.58-0+deb8u1.debian.tar.xz
 311286037d38414f77a463e662b92f1592e51fac 78622 mysql-common_5.5.58-0+deb8u1_all.deb
 02e8aa31c8957d7ce0dde5fd60c4ab31d17da02c 76970 mysql-server_5.5.58-0+deb8u1_all.deb
 6476e2514c63d3263d207f98dc39719f92869b7a 76836 mysql-client_5.5.58-0+deb8u1_all.deb
 4f477947f969fd7b60d4cfbfc571e90a7f83c198 76812 mysql-testsuite_5.5.58-0+deb8u1_all.deb
Checksums-Sha256: 
 5759120be94cf618f8a04595f4c3f82b3d9933c403be6b8b6f567580933f0bd0 3262 mysql-5.5_5.5.58-0+deb8u1.dsc
 9b6912faf261555c8975db24a987f63f36aaa28052a301e85538346ace0009b9 21045852 mysql-5.5_5.5.58.orig.tar.gz
 f1cb1bc0763628a0c076520677a5cac658b8b0b7811d0af1d99433b12a272062 232788 mysql-5.5_5.5.58-0+deb8u1.debian.tar.xz
 0e802b0e131161e97745b304c46b10b87940eacdf8f7bff9fdd270baa44176ba 78622 mysql-common_5.5.58-0+deb8u1_all.deb
 167881d7154ceef24f28f28ee5ddbca7b578bf42661af21f4cfb71f51b771f13 76970 mysql-server_5.5.58-0+deb8u1_all.deb
 7cf90a0541d1428045233ceb5d31d3267879401f52ca2b2befd78b906a145642 76836 mysql-client_5.5.58-0+deb8u1_all.deb
 81f9565b19e10e8719168f5ae877a24c5ef9f8e40bfca766c8225b16f384341a 76812 mysql-testsuite_5.5.58-0+deb8u1_all.deb
Files: 
 09c60cde24c2a031dad6d252376d0a79 3262 database optional mysql-5.5_5.5.58-0+deb8u1.dsc
 615d82fb528c8c91048685abaf67ed50 21045852 database optional mysql-5.5_5.5.58.orig.tar.gz
 19257054d22990b6cd1dd2fb2fbcf062 232788 database optional mysql-5.5_5.5.58-0+deb8u1.debian.tar.xz
 dfb1f95fe9013f50a564f237c7075b9d 78622 database optional mysql-common_5.5.58-0+deb8u1_all.deb
 7acc4f9dc9eda7682bdf751747059bc5 76970 database optional mysql-server_5.5.58-0+deb8u1_all.deb
 f637a1456f1a638e912e467d4eb64452 76836 database optional mysql-client_5.5.58-0+deb8u1_all.deb
 c5d08d850b2ebcf8c6b3dedd4058e970 76812 database optional mysql-testsuite_5.5.58-0+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnnzMNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EoWEQAIV7CTNF4BcYY/WYMmjAeR/es7cTrIEM
qiRTPnpoilQKbQIxRz/SP69/0GPTBetmOENp1QPqubL4ixKY65oNQAynw6NhPBGS
UpZ3lpZZGDR/+wfCxNnkv2YPtZTTaGoRwPMSM/fWCP0po6Ag+30JlzWLLXxOTA82
Ev5AVJTnsQZH1Q7ThRVyK4U4ihfkF6Vi2DMsYWY3RKEeGCqf5wGTUN6OZ+eEyQd/
WL+0hixH7npSANCva0sMLait7REcNDQJlO6sq71zSVfF6wGQaWvuy8BcpgpqAAzP
VZIWTHl8bo4eV7vWmW24qDm4GO42zMIZkx5xrWE2qX4sqB77koCxX7GLkSAyn7bQ
1+augQYv5h7by0bUa2zlFkRtEMdU8iFpioX71axnF43xRgDORRe08kQFPMHZtb8D
UAa3PSjz/LPgmGdTD1hhghtnhalyAMt5ssw84KcN4FEgQH4UyObkk8fHkcuAok3E
Pz3XIWjEL5gJOnBG6VOZpKQ3+3f0c7niaLu1zn5IqFzgU81/Xoog56H2iy3OXzeb
oLzdqi0ht1Npf3/ctSgFAZqkE6a4ezwbDFQ5fgn2BBi9RpGTuuPqGBU6McXnf49y
ycv3C48csUO/ISehbliVwAlKFsOq7MwVfefw1MbslK20fMkSytUzcp0gw3hS8nKn
3VBsJKhqanPr
=4JtT
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.