212612 – databases/mysql57-server: CVE 2016-6662

Bug 212612 - databases/mysql57-server: CVE 2016-6662

Summary: databases/mysql57-server: CVE 2016-6662

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-ports-bugs (Nobody)

URL:	http://legalhackers.com/advisories/My...
Keywords:	security

Depends on:	212690
Blocks:	212606
	Show dependency tree / graph

Reported:	2016-09-12 17:15 UTC by Markus Kohlmeyer
Modified:	2016-11-27 10:47 UTC (History)
CC List:	6 users (show)

See Also:

Flags:	mmokhi: maintainer-feedback+

Attachments
Patch that updates vuln.xml file for MySQL 57 (1.50 KB, patch) 2016-09-14 17:57 UTC, Mahdi Mokhtari	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Markus Kohlmeyer 2016-09-12 17:15:26 UTC

+++ This bug was initially created as a clone of Bug #212606 +++

Cite from linked advisory:


I. VULNERABILITY
-------------------------

MySQL  <= 5.7.15       Remote Root Code Execution / Privilege Escalation (0day)
	  5.6.33
 	  5.5.52

MySQL clones are also affected, including:

MariaDB
PerconaDB

Comment 1 Markus Kohlmeyer 2016-09-14 12:52:18 UTC

Oracle released a fixed version:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html

Comment 2 Mahdi Mokhtari freebsd_committer

2016-09-14 13:28:19 UTC

(In reply to Markus Kohlmeyer from comment #1)
Yeah i noticed this.
I'm preparing a patch that updates the port.
When it becomes ready I'll attach vuxml entry for this and open another issue for the update.

Comment 3 Mahdi Mokhtari freebsd_committer

2016-09-14 17:57:38 UTC

Created attachment 174785 [details]
Patch that updates vuln.xml file for MySQL 57

This patch adds vuxml entry for mysql57

Comment 4 commit-hook freebsd_committer

2016-09-16 16:17:57 UTC

A commit references this bug:

Author: riggs
Date: Fri Sep 16 16:17:49 UTC 2016
New revision: 422258
URL: https://svnweb.freebsd.org/changeset/ports/422258

Log:
  Document CVE 2016-6662: zero-day remote vulnerability in mysql ports

  PR:		212612
  Submitted by:	mokhi64@gmail.com (mysql57-* maintainer)
  Reported by:	rootservice@gmail.com
  Security:	CVE 2016-6662

Changes:
  head/security/vuxml/vuln.xml

Comment 5 Thomas Zander freebsd_committer

2016-09-16 16:22:42 UTC

Return to pool such that maintainers / committers of mysql derivatives (mariadb, perconadb) can take the PR and update the vuxml entry accordingly.

Comment 6 Markus Kohlmeyer 2016-11-23 17:54:36 UTC

ping

Comment 7 Mark Felder freebsd_committer

2016-11-23 19:53:09 UTC

Do we know which version ranges of the MySQL clones are affected?

Comment 8 Mahdi Mokhtari freebsd_committer

2016-11-24 03:30:42 UTC

(In reply to Mark Felder from comment #7)
I already submitted a vuxml patch.
Would you please check it?
Thanks.

Comment 9 commit-hook freebsd_committer

2016-11-24 16:06:41 UTC

A commit references this bug:

Author: feld
Date: Thu Nov 24 16:05:43 UTC 2016
New revision: 427039
URL: https://svnweb.freebsd.org/changeset/ports/427039

Log:
  Document MySQL RCE vulnerability

  PR:		212612
  Security:	CVE-2016-6662

Changes:
  head/security/vuxml/vuln.xml

Comment 10 commit-hook freebsd_committer

2016-11-24 16:08:44 UTC

A commit references this bug:

Author: feld
Date: Thu Nov 24 16:08:28 UTC 2016
New revision: 427042
URL: https://svnweb.freebsd.org/changeset/ports/427042

Log:
  Document additional MySQL vulnerable versions

  No information on which versions of MariaDB or Percona are affected.

  PR:		212612
  Security:	CVE-2016-6662

Changes:
  head/security/vuxml/vuln.xml

Comment 11 Bernard Spil freebsd_committer

2016-11-27 10:47:04 UTC

Fixed by ports r422257