[debian-mysql] Bug#841049: Bug#841049: Security fixes from the October 2016 CPU

Lars Tangvald lars.tangvald at oracle.com
Mon Oct 17 09:30:18 UTC 2016

As noted in the changelog for 5.6.34 at 
5.6.34 contains a change that requires packaging changes and could 
potentially impact users:

By default the server will restrict the server's access for SELECT INTO 
OUTFILE and LOAD DATA operations to /var/lib/mysql-files, and requires 
the directory to be present at startup.
This behavior can be changed at build-time to either turn such access 
off completely or make it unrestricted (current behavior).

We strongly recommend keeping the default behavior to improve the 
default security, i.e. change packaging to create the mysql-files 
directory. We're not aware of any other packages that rely on this 
functionality, but there is a risk of this change disrupting user workflows.


On 10/17/2016 10:05 AM, Norvald H. Ryeng wrote:
> Source: mysql-5.6
> Version: 5.6.30-1
> Severity: grave
> Tags: security upstream fixed-upstream
> The Oracle Critical Patch Update for October 2016 will be released on 
> Tuesday, October 18. According to the pre-release announcement [1], it 
> will contain information about CVEs fixed in MySQL 5.6.34.
> The CVE numbers will be available when the CPU is released.
> Regards,
> Norvald H. Ryeng
> [1] 
> http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20161017/880adcb4/attachment-0001.html>

More information about the pkg-mysql-maint mailing list