[debian-mysql] Bug#841050: Bug#841050: Security fixes from the October 2016 CPU

Lars Tangvald lars.tangvald at oracle.com
Wed Oct 19 07:10:59 UTC 2016



On 10/19/2016 08:21 AM, Salvatore Bonaccorso wrote:
> Hi Lars, hi Norvald,
>
> On Wed, Oct 19, 2016 at 08:03:00AM +0200, Lars Tangvald wrote:
>> The following CVEs are fixed in 5.5.53:
>> CVE-2016-6662 CVE-2016-7440 CVE-2016-5584
> The listing of CVE-2016-6662 is confusing here. This should actually
> already be addressed in 5.5.52, cf.
> http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
>
> Any insight on why Oracle claims it to be only fixed in 5.5.53?
>
> Regards,
> Salvatore
The CPU listing concerns all platforms, and there were some additional 
complexities in the CVE for other platforms.
So for Linux we consider this fixed in 5.5.52, but the complete fix was 
in 5.5.53.
Should I remove the CVE from the Debian changelog entry?
I've got the updated packages built and tested, so should have the 
debdiff pretty much ready.

--
Lars



More information about the pkg-mysql-maint mailing list