Bug 212606 - databases/mysql*-server, databases/percona*-server: CVE 2016-6662
Summary: databases/mysql*-server, databases/percona*-server: CVE 2016-6662
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Ports Security Team
URL: http://legalhackers.com/advisories/My...
Keywords: security
Depends on: 212612 212613 212614 212615 212616 212617 212618 212619
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-12 13:49 UTC by Markus Kohlmeyer
Modified: 2016-11-27 10:50 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback? (brnrd)
mmokhi: maintainer-feedback+
koobs: maintainer-feedback? (ale)
koobs: merge-quarterly?
koobs: exp-run?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Kohlmeyer 2016-09-12 13:49:15 UTC 
Cite from linked advisory:


I. VULNERABILITY
-------------------------

MySQL  <= 5.7.15       Remote Root Code Execution / Privilege Escalation (0day)
	  5.6.33
 	  5.5.52

MySQL clones are also affected, including:

MariaDB
PerconaDB
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2016-09-12 14:21:41 UTC 
Over to ports-secteam to coordinate multiple port/issue resolutions
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-09-12 14:41:06 UTC 
Please create separate issues blocking this bug for tracking changes in each port
Comment 3 Markus Kohlmeyer 2016-09-12 17:26:16 UTC 
Opened individuell bugs as requested
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2016-09-13 10:46:38 UTC 
CC Alex for mysql* ports

Maintainers please note that to resolution consists of:

- package entries for affected ports in security/vuxml
- ports updated to non-vulnerable versions
- fixed (non-vulnerable) versions merged to the quarterly branch

@Bernard databases/mariadb*-server was removed from the summary. Does this mean no mariadb ports are affected? If it was removed because mariadb ports have all been updated/merged/added to vuxml, please leave it in the summary so it is a correct reflection of scope of the reported issue/vulnerability
Comment 5 Markus Kohlmeyer 2016-11-23 17:55:05 UTC 
ping
Comment 6 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-11-24 03:27:21 UTC 
(In reply to Markus Kohlmeyer from comment #5)
Pong.
AFAIK, all affected ports fixed[1] and vuxml entry added.
I don't see why this is still open.


[1] except ale@'s ports, long time I didn't see any activities from him on mysql56.
Comment 7 Bernard Spil freebsd_committer freebsd_triage 2016-11-27 10:50:27 UTC 
All linked variants' PRs have been closed.