Debian Bug report logs -
#841049
Security fixes from the October 2016 CPU
Reported by: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
Date: Mon, 17 Oct 2016 08:33:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version mysql-5.6/5.6.30-1
Fixed in version mysql-5.6/5.6.34-1
Done: Lars Tangvald <lars.tangvald@oracle.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
:
Bug#841049
; Package src:mysql-5.6
.
(Mon, 17 Oct 2016 08:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
.
(Mon, 17 Oct 2016 08:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.6
Version: 5.6.30-1
Severity: grave
Tags: security upstream fixed-upstream
The Oracle Critical Patch Update for October 2016 will be released on
Tuesday, October 18. According to the pre-release announcement [1], it
will contain information about CVEs fixed in MySQL 5.6.34.
The CVE numbers will be available when the CPU is released.
Regards,
Norvald H. Ryeng
[1]
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
:
Bug#841049
; Package src:mysql-5.6
.
(Mon, 17 Oct 2016 10:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
.
(Mon, 17 Oct 2016 10:33:04 GMT) (full text, mbox, link).
Message #10 received at 841049@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
As noted in the changelog for 5.6.34 at
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-34.html,
5.6.34 contains a change that requires packaging changes and could
potentially impact users:
By default the server will restrict the server's access for SELECT INTO
OUTFILE and LOAD DATA operations to /var/lib/mysql-files, and requires
the directory to be present at startup.
This behavior can be changed at build-time to either turn such access
off completely or make it unrestricted (current behavior).
We strongly recommend keeping the default behavior to improve the
default security, i.e. change packaging to create the mysql-files
directory. We're not aware of any other packages that rely on this
functionality, but there is a risk of this change disrupting user workflows.
--
Lars
On 10/17/2016 10:05 AM, Norvald H. Ryeng wrote:
> Source: mysql-5.6
> Version: 5.6.30-1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> The Oracle Critical Patch Update for October 2016 will be released on
> Tuesday, October 18. According to the pre-release announcement [1], it
> will contain information about CVEs fixed in MySQL 5.6.34.
>
> The CVE numbers will be available when the CPU is released.
>
> Regards,
>
> Norvald H. Ryeng
>
> [1]
> http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
:
Bug#841049
; Package src:mysql-5.6
.
(Wed, 19 Oct 2016 05:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
.
(Wed, 19 Oct 2016 05:57:05 GMT) (full text, mbox, link).
Message #15 received at 841049@bugs.debian.org (full text, mbox, reply):
The following CVEs are noted as fixed since 5.6.30:
CVE-2016-3492 CVE-2016-5507 CVE-2016-5584 CVE-2016-5609
CVE-2016-5612 CVE-2016-5616 CVE-2016-5617 CVE-2016-5626
CVE-2016-5627 CVE-2016-5629 CVE-2016-5630 CVE-2016-6304
CVE-2016-6662 CVE-2016-7440 CVE-2016-8283 CVE-2016-8284
--
Lars
On 10/17/2016 10:05 AM, Norvald H. Ryeng wrote:
> Source: mysql-5.6
> Version: 5.6.30-1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> The Oracle Critical Patch Update for October 2016 will be released on
> Tuesday, October 18. According to the pre-release announcement [1], it
> will contain information about CVEs fixed in MySQL 5.6.34.
>
> The CVE numbers will be available when the CPU is released.
>
> Regards,
>
> Norvald H. Ryeng
>
> [1]
> http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
Reply sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
You have taken responsibility.
(Tue, 08 Nov 2016 15:33:11 GMT) (full text, mbox, link).
Notification sent
to "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
:
Bug acknowledged by developer.
(Tue, 08 Nov 2016 15:33:11 GMT) (full text, mbox, link).
Message #20 received at 841049-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.6
Source-Version: 5.6.34-1
We believe that the bug you reported is fixed in the latest version of
mysql-5.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 841049@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lars Tangvald <lars.tangvald@oracle.com> (supplier of updated mysql-5.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 18 Oct 2016 12:06:09 +0200
Source: mysql-5.6
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-client-core-5.6 mysql-client-5.6 mysql-server-core-5.6 mysql-server-5.6 mysql-server mysql-client mysql-testsuite mysql-testsuite-5.6 mysql-source-5.6
Architecture: source
Version: 5.6.34-1
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Lars Tangvald <lars.tangvald@oracle.com>
Description:
libmysqlclient-dev - MySQL database development files
libmysqlclient18 - MySQL database client library
libmysqld-dev - MySQL embedded database development files
libmysqld-pic - PIC version of MySQL embedded server development files
mysql-client - MySQL database client (metapackage depending on the latest versio
mysql-client-5.6 - MySQL database client binaries
mysql-client-core-5.6 - MySQL database core client binaries
mysql-server - MySQL database server (metapackage depending on the latest versio
mysql-server-5.6 - MySQL database server binaries and system database setup
mysql-server-core-5.6 - MySQL database server binaries
mysql-source-5.6 - MySQL source
mysql-testsuite - MySQL regression tests
mysql-testsuite-5.6 - MySQL 5.6 testsuite
Closes: 841049
Changes:
mysql-5.6 (5.6.34-1) unstable; urgency=high (security fixes)
.
* Imported upstream version 5.6.34 to fix security issues:
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- CVE-2016-3492 CVE-2016-5507 CVE-2016-5584 CVE-2016-5609
- CVE-2016-5612 CVE-2016-5616 CVE-2016-5617 CVE-2016-5626
- CVE-2016-5627 CVE-2016-5629 CVE-2016-5630 CVE-2016-6304
- CVE-2016-6662 CVE-2016-7440 CVE-2016-8283 CVE-2016-8284
(Closes: #841049)
* Packaging will now create /var/lib/mysql-files, as server will now by
default restrict all import/export operations to this directory. This
can be changed using the secure-file-priv config option.
* Change mysql-testsuite dependency from python to libjson-perl.
Tests written in python were rewritten in perl, so testsuite no longer
depends on python, but tests fail if libjson-perl is missing. Also added
libjson-perl build-dep to fix build-time test failures (LP: #1631338)
* Add working dir to perl lib path for dep8 upstream.
New versions of perl will no longer automatically include working dir in
the path. This was causing the mtr suite to fail to start.
* mysql-common is no longer included in source package as it has been moved
to src:mysql-defaults
* Removed patch fix-man-page-links, as the issue is fixed upstream.
Checksums-Sha1:
5c822b5386c8aa5bd5ded5f8d1ca7b58f4cf7e70 3113 mysql-5.6_5.6.34-1.dsc
b352b44385668f0d327d3f275f33f660d85497b3 32094762 mysql-5.6_5.6.34.orig.tar.gz
f9978dac603a569d6766a510915b49b79e1c4cdb 248404 mysql-5.6_5.6.34-1.debian.tar.xz
Checksums-Sha256:
e1112fd6605346e3ed3c21cad7cef3b4c4afaa8b6a65688cc6b8dbb1e8b0359e 3113 mysql-5.6_5.6.34-1.dsc
ee90bafec6af3abe2715ccb0b3cc9345ed8d1cce025d41e6ec2b2b7a7d820823 32094762 mysql-5.6_5.6.34.orig.tar.gz
5408bf930b4aba855af820220faeb49a0ed8b90b32110bc4e5f2a13ac6188689 248404 mysql-5.6_5.6.34-1.debian.tar.xz
Files:
45496b261616ba1d9679a433b8af8a31 3113 database optional mysql-5.6_5.6.34-1.dsc
255c5781f0cbb13f0e745b21c0ae3c1c 32094762 database optional mysql-5.6_5.6.34.orig.tar.gz
6bdc93dc74e5d69051bb01cf9f9d8561 248404 database optional mysql-5.6_5.6.34-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYIePcAAoJEMAFfnFNaU+yvlQQAKrMFgAf9RwAeefl8301GP6+
uyVWxUk+xDmhrxf0LnL6QIQQGufJWI5IA84xm7xf6aXr13h42Tm4w/OUhUXWr0h4
ZgzcBbvpUrCfXUuHWqlO+OzEk5mw3QLdcGFVhFIa43ZybcNOQlaV6N9jno1gOtty
YKyj8Rz0Ix19TT1OPpOpzViiapn2/YwD4HhhfKUbmFbMHSWdiwH+wEcW4qSXB/Zl
3A7Ok5xHBJhehDuhVou960+uE79n3ID4F3OtGceJV6SSSDpzeelWHZ5Gs12M0hNi
OX3iMpy0Okjks7ri9CHFC8s2sBQHHnt6WzZkBL8RHMJPdlAKEtQl0oG22ObYCiRg
dLDUQ05tcvXNWCcqSQndrlDzXVDdtxee8aR/Zdstzyvj1vkLN7jlLy8KglE4yqaP
+Vv7ZyY4cqOIUmK9btvmkETjP0mjajMvMffx9cxWxzY3gehzJ7a7RgFf88+I5gJp
K2ZzlZHOZna3oA2MyRf8cd8B7Z8W6+dPZDmzkh0xPL/GXDNHP6QWfXA/xiQ29iC6
aQ75+d47EevOaneJo+eskIhPl3ZRDVTwUHELvHTXGV8mxnjuS5cR9/1Qa9toqISD
CqCuq7iHU08qdr+CaUT3OIAgITA7F/TzpR52o0q7Dnl1YPRpUxf8UsEvz1OWoamn
Pty8YZrQLSogAsoW+bY2
=JCvB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 29 Dec 2016 08:38:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:22:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.