Security fixes from the October 2016 CPU

Debian Bug report logs - #841049
Security fixes from the October 2016 CPU

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>

To: "submit@bugs.debian.org" <submit@bugs.debian.org>

Subject: Security fixes from the October 2016 CPU

Date: Mon, 17 Oct 2016 10:05:13 +0200

Source: mysql-5.6
Version: 5.6.30-1
Severity: grave
Tags: security upstream fixed-upstream

The Oracle Critical Patch Update for October 2016 will be released on  
Tuesday, October 18. According to the pre-release announcement [1], it  
will contain information about CVEs fixed in MySQL 5.6.34.

The CVE numbers will be available when the CPU is released.

Regards,

Norvald H. Ryeng

[1]  
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Message #10 received at 841049@bugs.debian.org (full text, mbox, reply):

From: Lars Tangvald <lars.tangvald@oracle.com>

To: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>, 841049@bugs.debian.org

Subject: Re: [debian-mysql] Bug#841049: Security fixes from the October 2016 CPU

Date: Mon, 17 Oct 2016 11:30:18 +0200

[Message part 1 (text/plain, inline)]

As noted in the changelog for 5.6.34 at 
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-34.html,
5.6.34 contains a change that requires packaging changes and could 
potentially impact users:

By default the server will restrict the server's access for SELECT INTO 
OUTFILE and LOAD DATA operations to /var/lib/mysql-files, and requires 
the directory to be present at startup.
This behavior can be changed at build-time to either turn such access 
off completely or make it unrestricted (current behavior).

We strongly recommend keeping the default behavior to improve the 
default security, i.e. change packaging to create the mysql-files 
directory. We're not aware of any other packages that rely on this 
functionality, but there is a risk of this change disrupting user workflows.

--
Lars

On 10/17/2016 10:05 AM, Norvald H. Ryeng wrote:
> Source: mysql-5.6
> Version: 5.6.30-1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> The Oracle Critical Patch Update for October 2016 will be released on 
> Tuesday, October 18. According to the pre-release announcement [1], it 
> will contain information about CVEs fixed in MySQL 5.6.34.
>
> The CVE numbers will be available when the CPU is released.
>
> Regards,
>
> Norvald H. Ryeng
>
> [1] 
> http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint

[Message part 2 (text/html, inline)]

Message #15 received at 841049@bugs.debian.org (full text, mbox, reply):

From: Lars Tangvald <lars.tangvald@oracle.com>

To: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>, 841049@bugs.debian.org

Subject: Re: [debian-mysql] Bug#841049: Security fixes from the October 2016 CPU

Date: Wed, 19 Oct 2016 07:54:22 +0200

The following CVEs are noted as fixed since 5.6.30:
CVE-2016-3492 CVE-2016-5507 CVE-2016-5584 CVE-2016-5609
CVE-2016-5612 CVE-2016-5616 CVE-2016-5617 CVE-2016-5626
CVE-2016-5627 CVE-2016-5629 CVE-2016-5630 CVE-2016-6304
CVE-2016-6662 CVE-2016-7440 CVE-2016-8283 CVE-2016-8284

--
Lars

On 10/17/2016 10:05 AM, Norvald H. Ryeng wrote:
> Source: mysql-5.6
> Version: 5.6.30-1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> The Oracle Critical Patch Update for October 2016 will be released on 
> Tuesday, October 18. According to the pre-release announcement [1], it 
> will contain information about CVEs fixed in MySQL 5.6.34.
>
> The CVE numbers will be available when the CPU is released.
>
> Regards,
>
> Norvald H. Ryeng
>
> [1] 
> http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint

Message #20 received at 841049-close@bugs.debian.org (full text, mbox, reply):

From: Lars Tangvald <lars.tangvald@oracle.com>

To: 841049-close@bugs.debian.org

Subject: Bug#841049: fixed in mysql-5.6 5.6.34-1

Date: Tue, 08 Nov 2016 15:32:11 +0000

Source: mysql-5.6
Source-Version: 5.6.34-1

We believe that the bug you reported is fixed in the latest version of
mysql-5.6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 841049@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lars Tangvald <lars.tangvald@oracle.com> (supplier of updated mysql-5.6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 18 Oct 2016 12:06:09 +0200
Source: mysql-5.6
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-client-core-5.6 mysql-client-5.6 mysql-server-core-5.6 mysql-server-5.6 mysql-server mysql-client mysql-testsuite mysql-testsuite-5.6 mysql-source-5.6
Architecture: source
Version: 5.6.34-1
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Lars Tangvald <lars.tangvald@oracle.com>
Description:
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.6 - MySQL database client binaries
 mysql-client-core-5.6 - MySQL database core client binaries
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.6 - MySQL database server binaries and system database setup
 mysql-server-core-5.6 - MySQL database server binaries
 mysql-source-5.6 - MySQL source
 mysql-testsuite - MySQL regression tests
 mysql-testsuite-5.6 - MySQL 5.6 testsuite
Closes: 841049
Changes:
 mysql-5.6 (5.6.34-1) unstable; urgency=high (security fixes)
 .
   * Imported upstream version 5.6.34 to fix security issues:
     - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
     - CVE-2016-3492 CVE-2016-5507 CVE-2016-5584 CVE-2016-5609
     - CVE-2016-5612 CVE-2016-5616 CVE-2016-5617 CVE-2016-5626
     - CVE-2016-5627 CVE-2016-5629 CVE-2016-5630 CVE-2016-6304
     - CVE-2016-6662 CVE-2016-7440 CVE-2016-8283 CVE-2016-8284
     (Closes: #841049)
   * Packaging will now create /var/lib/mysql-files, as server will now by
     default restrict all import/export operations to this directory. This
     can be changed using the secure-file-priv config option.
   * Change mysql-testsuite dependency from python to libjson-perl.
     Tests written in python were rewritten in perl, so testsuite no longer
     depends on python, but tests fail if libjson-perl is missing. Also added
     libjson-perl build-dep to fix build-time test failures (LP: #1631338)
   * Add working dir to perl lib path for dep8 upstream.
     New versions of perl will no longer automatically include working dir in
     the path. This was causing the mtr suite to fail to start.
   * mysql-common is no longer included in source package as it has been moved
     to src:mysql-defaults
   * Removed patch fix-man-page-links, as the issue is fixed upstream.
Checksums-Sha1:
 5c822b5386c8aa5bd5ded5f8d1ca7b58f4cf7e70 3113 mysql-5.6_5.6.34-1.dsc
 b352b44385668f0d327d3f275f33f660d85497b3 32094762 mysql-5.6_5.6.34.orig.tar.gz
 f9978dac603a569d6766a510915b49b79e1c4cdb 248404 mysql-5.6_5.6.34-1.debian.tar.xz
Checksums-Sha256:
 e1112fd6605346e3ed3c21cad7cef3b4c4afaa8b6a65688cc6b8dbb1e8b0359e 3113 mysql-5.6_5.6.34-1.dsc
 ee90bafec6af3abe2715ccb0b3cc9345ed8d1cce025d41e6ec2b2b7a7d820823 32094762 mysql-5.6_5.6.34.orig.tar.gz
 5408bf930b4aba855af820220faeb49a0ed8b90b32110bc4e5f2a13ac6188689 248404 mysql-5.6_5.6.34-1.debian.tar.xz
Files:
 45496b261616ba1d9679a433b8af8a31 3113 database optional mysql-5.6_5.6.34-1.dsc
 255c5781f0cbb13f0e745b21c0ae3c1c 32094762 database optional mysql-5.6_5.6.34.orig.tar.gz
 6bdc93dc74e5d69051bb01cf9f9d8561 248404 database optional mysql-5.6_5.6.34-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYIePcAAoJEMAFfnFNaU+yvlQQAKrMFgAf9RwAeefl8301GP6+
uyVWxUk+xDmhrxf0LnL6QIQQGufJWI5IA84xm7xf6aXr13h42Tm4w/OUhUXWr0h4
ZgzcBbvpUrCfXUuHWqlO+OzEk5mw3QLdcGFVhFIa43ZybcNOQlaV6N9jno1gOtty
YKyj8Rz0Ix19TT1OPpOpzViiapn2/YwD4HhhfKUbmFbMHSWdiwH+wEcW4qSXB/Zl
3A7Ok5xHBJhehDuhVou960+uE79n3ID4F3OtGceJV6SSSDpzeelWHZ5Gs12M0hNi
OX3iMpy0Okjks7ri9CHFC8s2sBQHHnt6WzZkBL8RHMJPdlAKEtQl0oG22ObYCiRg
dLDUQ05tcvXNWCcqSQndrlDzXVDdtxee8aR/Zdstzyvj1vkLN7jlLy8KglE4yqaP
+Vv7ZyY4cqOIUmK9btvmkETjP0mjajMvMffx9cxWxzY3gehzJ7a7RgFf88+I5gJp
K2ZzlZHOZna3oA2MyRf8cd8B7Z8W6+dPZDmzkh0xPL/GXDNHP6QWfXA/xiQ29iC6
aQ75+d47EevOaneJo+eskIhPl3ZRDVTwUHELvHTXGV8mxnjuS5cR9/1Qa9toqISD
CqCuq7iHU08qdr+CaUT3OIAgITA7F/TzpR52o0q7Dnl1YPRpUxf8UsEvz1OWoamn
Pty8YZrQLSogAsoW+bY2
=JCvB
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.