Debian Bug report logs -
#868788
Security fixes from the July 2017 CPU
Reported by: Lars Tangvald <lars.tangvald@oracle.com>
Date: Tue, 18 Jul 2017 16:51:04 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions mysql-5.5/5.5.55-0+deb8u1, mysql-5.5/5.5.42-1
Fixed in version mysql-5.5/5.5.57-0+deb8u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#868788
; Package src:mysql-5.5
.
(Tue, 18 Jul 2017 16:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org
.
(Tue, 18 Jul 2017 16:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.5
Version: 5.5.55-0+deb8u1
Severity: grave
Tags: security upstream fixed-upstream
The Oracle Critical Patch Update for July 2017 will be released on
Tuesday, July 18. According to the pre-release announcement [1], it
will contain information about CVEs fixed in MySQL 5.5.57.
We will update the bug with CVE numbers when they become available, and
test the update to ensure there are no packaging issues that need
addressing.
Regards,
Lars Tangvald
[1]
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Marked as found in versions mysql-5.5/5.5.42-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 18 Jul 2017 19:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#868788
; Package src:mysql-5.5
.
(Wed, 19 Jul 2017 10:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org
.
(Wed, 19 Jul 2017 10:27:07 GMT) (full text, mbox, link).
Message #12 received at 868788@bugs.debian.org (full text, mbox, reply):
CVE list for 5.5:
CVE-2017-3635
CVE-2017-3636
CVE-2017-3641
CVE-2017-3648
CVE-2017-3651
CVE-2017-3652
CVE-2017-3653
--
Lars
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#868788
; Package src:mysql-5.5
.
(Thu, 20 Jul 2017 11:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org
.
(Thu, 20 Jul 2017 11:39:05 GMT) (full text, mbox, link).
Message #17 received at 868788@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
The Jessie update to MySQL 5.5.57 has been built and tested without any
issues seen.
Attached are debdiff files for the Jessie update to MySQL 5.5.57
--
Lars
[jessiedebdiff.txt.gz (application/gzip, attachment)]
[jessiedebiandiff.txt (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#868788
; Package src:mysql-5.5
.
(Thu, 20 Jul 2017 13:30:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org
.
(Thu, 20 Jul 2017 13:30:10 GMT) (full text, mbox, link).
Message #22 received at 868788@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
The Wheezy update to MySQL 5.5.57 has been built and tested without any
issues seen.
Attached are debdiff files for the Wheezy update.
--
Lars
[wheezydebdiff.txt.gz (application/gzip, attachment)]
[wheezydebiandiff.txt (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#868788
; Package src:mysql-5.5
.
(Thu, 20 Jul 2017 19:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org
.
(Thu, 20 Jul 2017 19:21:04 GMT) (full text, mbox, link).
Message #27 received at 868788@bugs.debian.org (full text, mbox, reply):
Hi Lars,
On Thu, Jul 20, 2017 at 12:08:29PM +0200, Lars Tangvald wrote:
> Hi,
>
> The Jessie update to MySQL 5.5.57 has been built and tested without any
> issues seen.
>
> Attached are debdiff files for the Jessie update to MySQL 5.5.57
This is fine. Do you have a DD in your team who can preferably sponsor
the upload to jessie-security?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#868788
; Package src:mysql-5.5
.
(Tue, 01 Aug 2017 19:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org
.
(Tue, 01 Aug 2017 19:09:05 GMT) (full text, mbox, link).
Message #32 received at 868788@bugs.debian.org (full text, mbox, reply):
Hi Norvald,
On Tue, Aug 01, 2017 at 08:57:37PM +0200, Norvald H. Ryeng wrote:
> On Thu, 20 Jul 2017 21:18:30 +0200
> Salvatore Bonaccorso <carnil@debian.org> wrote:
>
> > Hi Lars,
> >
> > On Thu, Jul 20, 2017 at 12:08:29PM +0200, Lars Tangvald wrote:
> > > Hi,
> > >
> > > The Jessie update to MySQL 5.5.57 has been built and tested without
> > > any issues seen.
> > >
> > > Attached are debdiff files for the Jessie update to MySQL 5.5.57
> >
> > This is fine. Do you have a DD in your team who can preferably sponsor
> > the upload to jessie-security?
>
> (Lars just started his summer vacation, so I'm picking up this thread.)
>
> Looks like there aren't any DDs around. Could you help us out with
> this upload, please?
This has been done already, cf.
https://lists.debian.org/debian-security-announce/2017/msg00184.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#868788
; Package src:mysql-5.5
.
(Tue, 01 Aug 2017 19:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org
.
(Tue, 01 Aug 2017 19:21:07 GMT) (full text, mbox, link).
Message #37 received at 868788@bugs.debian.org (full text, mbox, reply):
On Thu, 20 Jul 2017 21:18:30 +0200
Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi Lars,
>
> On Thu, Jul 20, 2017 at 12:08:29PM +0200, Lars Tangvald wrote:
> > Hi,
> >
> > The Jessie update to MySQL 5.5.57 has been built and tested without
> > any issues seen.
> >
> > Attached are debdiff files for the Jessie update to MySQL 5.5.57
>
> This is fine. Do you have a DD in your team who can preferably sponsor
> the upload to jessie-security?
(Lars just started his summer vacation, so I'm picking up this thread.)
Looks like there aren't any DDs around. Could you help us out with
this upload, please?
Best regards,
Norvald H. Ryeng
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Sat, 05 Aug 2017 19:51:19 GMT) (full text, mbox, link).
Notification sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
Bug acknowledged by developer.
(Sat, 05 Aug 2017 19:51:19 GMT) (full text, mbox, link).
Message #42 received at 868788-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.5
Source-Version: 5.5.57-0+deb8u1
We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868788@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mysql-5.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 20 Jul 2017 07:03:49 +0200
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite mysql-testsuite-5.5 mysql-source-5.5
Architecture: all source
Version: 5.5.57-0+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868788
Description:
libmysqlclient-dev - MySQL database development files
libmysqlclient18 - MySQL database client library
libmysqld-dev - MySQL embedded database development files
libmysqld-pic - PIC version of MySQL embedded server development files
mysql-client - MySQL database client (metapackage depending on the latest versio
mysql-client-5.5 - MySQL database client binaries
mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
mysql-server - MySQL database server (metapackage depending on the latest versio
mysql-server-5.5 - MySQL database server binaries and system database setup
mysql-server-core-5.5 - MySQL database server binaries
mysql-source-5.5 - MySQL source
mysql-testsuite - MySQL testsuite
mysql-testsuite-5.5 - MySQL testsuite
Changes:
mysql-5.5 (5.5.57-0+deb8u1) jessie-security; urgency=high
.
* Imported upstream version 5.5.57 to fix security issues:
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648
- CVE-2017-3651 CVE-2017-3652 CVE-2017-3653
(Closes: #868788)
Checksums-Sha1:
3ddca18597306e8b9161a2159b55f685223da8db 3262 mysql-5.5_5.5.57-0+deb8u1.dsc
4652b6bbc6b0dbb763ffa778c29e8cb4ea6a9f7f 21044615 mysql-5.5_5.5.57.orig.tar.gz
14bc13cdebda591e99d5d1810b61906843f19bf5 232520 mysql-5.5_5.5.57-0+deb8u1.debian.tar.xz
8f91515ae83079689436b4b968e1b4dfca7c3ad1 84234 mysql-common_5.5.57-0+deb8u1_all.deb
e61afe57cba22a3ec2aae4464eee5af8b3f63231 82470 mysql-server_5.5.57-0+deb8u1_all.deb
09b92efa14be559a4b8e6c0a17337038952258be 82338 mysql-client_5.5.57-0+deb8u1_all.deb
b1ddfb25eacc1360c0a74ac892f52abaa4703e10 82314 mysql-testsuite_5.5.57-0+deb8u1_all.deb
Checksums-Sha256:
a0a622fb7e7f91e87bbee01510d193034121d645628ba5dc8fe3e8b5977959ef 3262 mysql-5.5_5.5.57-0+deb8u1.dsc
c1c2bd321e524f92e43fe73d0d6745badd538c984c7561b273ae10e9aef57384 21044615 mysql-5.5_5.5.57.orig.tar.gz
b11423f6e61e804c768b677f68e286f97bce008769f9735d7e593ab8e4ed8889 232520 mysql-5.5_5.5.57-0+deb8u1.debian.tar.xz
8e88095a88261a4984fe66ed7489cbed5af2bd82aaa67d41f6ccfbfd5765193c 84234 mysql-common_5.5.57-0+deb8u1_all.deb
11e30857c6c7905185c163c1d9ef4d8bfac0e6656baea019cdaa1a43d956d2f5 82470 mysql-server_5.5.57-0+deb8u1_all.deb
22e6ec5e94a7b3b73f5c792649bc7e1f88a8c391e96ae3254ecb729b5645a808 82338 mysql-client_5.5.57-0+deb8u1_all.deb
5970cb8cd5c0dbaca5a1c51350dd0215d3346862b7b56bb2667119a67b61be45 82314 mysql-testsuite_5.5.57-0+deb8u1_all.deb
Files:
76a78d50c1cd996c1f158a0042d2d49e 3262 database optional mysql-5.5_5.5.57-0+deb8u1.dsc
98103cc90cf483eb1bd4032baa34a315 21044615 database optional mysql-5.5_5.5.57.orig.tar.gz
f0c3316ead0e31627b694284c861ef96 232520 database optional mysql-5.5_5.5.57-0+deb8u1.debian.tar.xz
5702d30bba5319ef92b2cf1b192ed980 84234 database optional mysql-common_5.5.57-0+deb8u1_all.deb
a7565c16ad843800710cd72a5d19bd17 82470 database optional mysql-server_5.5.57-0+deb8u1_all.deb
db02fa8a4b628c67b4c877e3733556bf 82338 database optional mysql-client_5.5.57-0+deb8u1_all.deb
1106954a2c732de78b6c00f83f406960 82314 database optional mysql-testsuite_5.5.57-0+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAll7Ek1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89En9AP/AwHkhUBqRKmPRr7Cvn3p5iXPsJzkirS
H5ATJFgaPXGtOfjv/2BC91P6HbxIeQYKDk4C0x/BjyQduJ8yxG/T5oxko3l6P5Ch
/QchYU4WLZyoylPrwfL8Rr4HQLXnhYJEvdZWkGuyJkZO42XtyWT7dPiGx/iVYwMF
THazQvliFZNmdvr396FkjSwob+/gNSa/e+kNXKoaG1RcCNMlCXNmFcLwcSlE1SOE
//p+KisVEPBGuB12JJk2J5tNcuaZW36TTYhwSRN2J02NocMXBPM7gK6EbMKD1Yfn
h4UwQrmzMWszwrV5gZxQJo0MW2A+1dkY2Bru5zfEDHK/mtuAb8l/uNUYqeBXAXEG
DoWKc3EBLB2Jb2z4l3VloXMthEy2/6Cwxt9xsGkRDQLLmLTBY+63zk7X1urPccv9
/jQA3msJmKA1v8fXFPKLjGDKUbEKEmzZOf/Qy+cMXRaJv+e8vmEC4FZV3ZiCrILn
AX0bh4XJNco9Kybj+l9+vljpfwPj2G2coKHMFHmh+CtrolVfU4dqMkdXAFK64OV7
9ZQUKdfq+SwvUKW+K8KH36u0d38E0p++M2qFEv89adJu9KcRzPY4wYBE4+jgy3OT
dXoEvcJmwhma+sAiX1s2JsSl+exxeHpwRk08tK70wsNKwXjDCXoILsRCfeAucLrT
GBuM2Njp9LIb
=LI0f
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 03 Sep 2017 07:43:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:01:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.