Debian Bug report logs -
#851234
Security fixes from the January 2017 CPU
Reported by: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
Date: Fri, 13 Jan 2017 08:24:04 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions mysql-5.6/5.6.30-1, mysql-5.6/5.6.34-1
Fixed in version mysql-5.6/5.6.35-1
Done: Lars Tangvald <lars.tangvald@oracle.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
:
Bug#851234
; Package src:mysql-5.6
.
(Fri, 13 Jan 2017 08:24:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
.
(Fri, 13 Jan 2017 08:24:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.6
Version: 5.6.34-1
Severity: grave
Tags: security upstream fixed-upstream
The Oracle Critical Patch Update for January 2017 will be released on
Tuesday, January 17. According to the pre-release announcement [1], it
will contain information about CVEs fixed in MySQL 5.6.35.
The CVE numbers will be available when the CPU is released.
Regards,
Norvald H. Ryeng
[1] http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
Marked as found in versions mysql-5.6/5.6.30-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Jan 2017 09:57:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
:
Bug#851234
; Package src:mysql-5.6
.
(Tue, 17 Jan 2017 20:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
.
(Tue, 17 Jan 2017 20:51:05 GMT) (full text, mbox, link).
Message #12 received at 851234@bugs.debian.org (full text, mbox, reply):
I've built and tested the update, and will pass debdiffs on to the security team once the CVE list is available.
--
Lars
----- norvald.ryeng@oracle.com wrote:
> Source: mysql-5.6
> Version: 5.6.34-1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> The Oracle Critical Patch Update for January 2017 will be released on
>
> Tuesday, January 17. According to the pre-release announcement [1], it
>
> will contain information about CVEs fixed in MySQL 5.6.35.
>
> The CVE numbers will be available when the CPU is released.
>
> Regards,
>
> Norvald H. Ryeng
>
> [1]
> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
:
Bug#851234
; Package src:mysql-5.6
.
(Wed, 18 Jan 2017 08:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Lars Tangvald <lars.tangvald@oracle.com>, 851234@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
.
(Wed, 18 Jan 2017 08:21:05 GMT) (full text, mbox, link).
Message #17 received at 851234@bugs.debian.org (full text, mbox, reply):
CVE List for 5.6:
CVE-2016-8318
CVE-2016-8327
CVE-2017-3238
CVE-2017-3244
CVE-2017-3257
CVE-2017-3258
CVE-2017-3265
CVE-2017-3273
CVE-2017-3291
CVE-2017-3312
CVE-2017-3313
CVE-2017-3317
CVE-2017-3318
--
Lars
On 01/17/2017 09:48 PM, Lars Tangvald wrote:
> I've built and tested the update, and will pass debdiffs on to the security team once the CVE list is available.
>
> --
> Lars
> ----- norvald.ryeng@oracle.com wrote:
>
>> Source: mysql-5.6
>> Version: 5.6.34-1
>> Severity: grave
>> Tags: security upstream fixed-upstream
>>
>> The Oracle Critical Patch Update for January 2017 will be released on
>>
>> Tuesday, January 17. According to the pre-release announcement [1], it
>>
>> will contain information about CVEs fixed in MySQL 5.6.35.
>>
>> The CVE numbers will be available when the CPU is released.
>>
>> Regards,
>>
>> Norvald H. Ryeng
>>
>> [1]
>> http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
>>
>> _______________________________________________
>> pkg-mysql-maint mailing list
>> pkg-mysql-maint@lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
Reply sent
to Lars Tangvald <lars.tangvald@oracle.com>
:
You have taken responsibility.
(Fri, 20 Jan 2017 15:09:15 GMT) (full text, mbox, link).
Notification sent
to "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
:
Bug acknowledged by developer.
(Fri, 20 Jan 2017 15:09:15 GMT) (full text, mbox, link).
Message #22 received at 851234-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-5.6
Source-Version: 5.6.35-1
We believe that the bug you reported is fixed in the latest version of
mysql-5.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851234@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lars Tangvald <lars.tangvald@oracle.com> (supplier of updated mysql-5.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 17 Jan 2017 12:41:15 +0100
Source: mysql-5.6
Binary: libmysqlclient18 mysql-client-core-5.6 mysql-client-5.6 mysql-server-core-5.6 mysql-server-5.6 mysql-testsuite-5.6 mysql-source-5.6
Architecture: source
Version: 5.6.35-1
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: Lars Tangvald <lars.tangvald@oracle.com>
Description:
libmysqlclient18 - MySQL database client library
mysql-client-5.6 - MySQL database client binaries
mysql-client-core-5.6 - MySQL database core client binaries
mysql-server-5.6 - MySQL database server binaries and system database setup
mysql-server-core-5.6 - MySQL database server binaries
mysql-source-5.6 - MySQL source
mysql-testsuite-5.6 - MySQL 5.6 testsuite
Closes: 847992 848118 851156 851234
Changes:
mysql-5.6 (5.6.35-1) unstable; urgency=high (security fixes)
.
[ Andreas Beckmann ]
* Stop building the unversioned metapackages, these are now built from
src:mysql-5.7.
* mysql-server-core-5.6: Add Breaks+Replaces: mysql-server-5.5 for the moved
innochecksum manpage. (Closes: #847992, #848118)
.
[ Lars Tangvald ]
* Imported upstream version 5.6.35 to fix security issues:
- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
- CVE-2016-8318 CVE-2016-8327 CVE-2017-3238 CVE-2017-3244
- CVE-2017-3257 CVE-2017-3258 CVE-2017-3265 CVE-2017-3273
- CVE-2017-3291 CVE-2017-3312 CVE-2017-3313 CVE-2017-3317
- CVE-2017-3318
(Closes: #851234)
* Fix failing test main.events_2
The test was failing after 2017-01-01 because of a hardcoded date in the test
Added workaround patch, pending upstream fix.
* Fix ftbfs with newer libedit versions
The new version had an api change, causing the cmake check to fail.
(Closes: #851156)
Checksums-Sha1:
519ca2b073f5c326df6652fd2914ef960dec9861 2735 mysql-5.6_5.6.35-1.dsc
a971f01d711addd87c860fb534d51139a73d5319 32167628 mysql-5.6_5.6.35.orig.tar.gz
d79d38229bf08f8550c5624c404ee71e4540afa9 249340 mysql-5.6_5.6.35-1.debian.tar.xz
Checksums-Sha256:
9636b1669d928eb28f1f21a49883828901f96695d6be15c26f41d69842130e92 2735 mysql-5.6_5.6.35-1.dsc
dddcba169b98844d7c65346cbd791c853edf942d78440381685087b84aa35020 32167628 mysql-5.6_5.6.35.orig.tar.gz
af86365a9b64114d5cb685d65082b4a03e257d357a444e1675c2f3547c36a397 249340 mysql-5.6_5.6.35-1.debian.tar.xz
Files:
3cfb212766b9325dbb911554268fba7c 2735 database optional mysql-5.6_5.6.35-1.dsc
e4f170f6f73aa94c0d8da90019545908 32167628 database optional mysql-5.6_5.6.35.orig.tar.gz
a036542f6a3824318c41e726eed7845c 249340 database optional mysql-5.6_5.6.35-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYgiC5AAoJEF+zP5NZ6e0ItRgP/R/QVWG9at7cRLJM/3QlyU2P
J+kLDC1ce4/qYAxu77f1w94S9qQ759tMuLU0huQK/eg0GTPC3udjmP+AzW3TiBRi
FGf9n/AGdgCyGR1KQbL8uwbEmmHXWOW+EjHKhp9WtByyMdIiQGCL521kxHroqP5S
9wPFFjcj4+IDQXclylBc0YUWe7WiHhhjIr7bvrQuCVJYeZK2mhx4YRyA9K16wUtJ
oXhIo/bEuktZhMDtUn8nTDM53/+9a2PzH4HK4k2lPv0NCWaJ7BBDGbbeMsc/Ly18
cUqpk3s12ux9uMIdQmjnC/1/xKd8g/cZcNAkO61UBuWKuHbn39wNvRmKjiLAfY8Z
gSvAcEQ+QMidyoEsPsYgLzmTnTU+/TA3VpciUioLn6mtj6HU/bGUvYjbV+tpg/Ca
DoCEa/Xm3pFTIAMFiZVa7Oapy+IY0s8p0dPljQoSLJvyDqW0advmW3qSgvSNaGpC
QaJdiQmU7ipqIx+1yFRr/ycoFwmmjXFkLRckdjFCgkrNAXgDwm9KrwgGftCblSWo
WFS9EvhqXN2qZEX7v8jeH3R8VqOAL5smObzPlKwiZXY+96t9/bZrhSOG/jZcpX/n
PE0OBD4Fq7XG8dtLtQFfRNAgdLtRV4aq1drBMNm3cTqMPwB8hyuu3P9LDl18PwWh
e5gNKdU5rzDdP71MnTJE
=Cz1b
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 18 Feb 2017 07:29:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:31:59 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.