mariadb / mysql (SSA:2016-257-01)
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] mariadb / mysql (SSA:2016-257-01)
Date: Tue, 13 Sep 2016 13:15:07 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] mariadb / mysql (SSA:2016-257-01)
New mariadb or mysql packages are available for Slackware 14.0, 14.1, 14.2,
and -current to fix a security issue.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mariadb-10.0.27-i586-1_slack14.2.txz: Upgraded.
This update fixes a critical vulnerability which can allow local and
remote attackers to inject malicious settings into MySQL configuration
files (my.cnf). A successful exploitation could allow attackers to
execute arbitrary code with root privileges which would then allow them
to fully compromise the server.
This issue was discovered and reported by Dawid Golunski.
For more information, see:
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
https://jira.mariadb.org/browse/MDEV-10465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mysql-5.5.52-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mysql-5.5.52-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.52-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.52-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mariadb-10.0.27-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mariadb-10.0.27-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-10.0.27-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-10.0.27-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
cb5cacd8647feb4e8ccb6b912c10742e mysql-5.5.52-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
37ffae2b7bc2fd70970946cc5450b784 mysql-5.5.52-x86_64-1_slack14.0.txz
Slackware 14.1 package:
9595e224d42928a06f031626f87d3973 mariadb-5.5.52-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
253fd74ea75f6123d46776dd655ea04a mariadb-5.5.52-x86_64-1_slack14.1.txz
Slackware 14.2 package:
f4aea4bbafd19a66555730884ccf94d4 mariadb-10.0.27-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
8f61d82c1e961de81bd926c8e51680f7 mariadb-10.0.27-x86_64-1_slack14.2.txz
Slackware -current package:
ec71e40899714a5e37d4f050388d25fd ap/mariadb-10.0.27-i586-1.txz
Slackware x86_64 -current package:
1cc7ee6f2903a74660f4320c66fdf24e ap/mariadb-10.0.27-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg mariadb-10.0.27-i586-1_slack14.2.txz
Then, restart the database server:
# sh /etc/rc.d/rc.mysqld restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlfYUAAACgkQakRjwEAQIjOdhQCfYGvLdF3LQXF1OUPnDjdM3dJv
Fs4An0zqW0znP6BK3FBE2BLwgGYoC4bw
=dWeF
-----END PGP SIGNATURE-----
To: slackware-security@slackware.com
Subject: [slackware-security] mariadb / mysql (SSA:2016-257-01)
Date: Tue, 13 Sep 2016 13:15:07 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] mariadb / mysql (SSA:2016-257-01)
New mariadb or mysql packages are available for Slackware 14.0, 14.1, 14.2,
and -current to fix a security issue.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mariadb-10.0.27-i586-1_slack14.2.txz: Upgraded.
This update fixes a critical vulnerability which can allow local and
remote attackers to inject malicious settings into MySQL configuration
files (my.cnf). A successful exploitation could allow attackers to
execute arbitrary code with root privileges which would then allow them
to fully compromise the server.
This issue was discovered and reported by Dawid Golunski.
For more information, see:
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
https://jira.mariadb.org/browse/MDEV-10465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mysql-5.5.52-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mysql-5.5.52-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.52-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.52-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mariadb-10.0.27-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mariadb-10.0.27-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mariadb-10.0.27-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/mariadb-10.0.27-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
cb5cacd8647feb4e8ccb6b912c10742e mysql-5.5.52-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
37ffae2b7bc2fd70970946cc5450b784 mysql-5.5.52-x86_64-1_slack14.0.txz
Slackware 14.1 package:
9595e224d42928a06f031626f87d3973 mariadb-5.5.52-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
253fd74ea75f6123d46776dd655ea04a mariadb-5.5.52-x86_64-1_slack14.1.txz
Slackware 14.2 package:
f4aea4bbafd19a66555730884ccf94d4 mariadb-10.0.27-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
8f61d82c1e961de81bd926c8e51680f7 mariadb-10.0.27-x86_64-1_slack14.2.txz
Slackware -current package:
ec71e40899714a5e37d4f050388d25fd ap/mariadb-10.0.27-i586-1.txz
Slackware x86_64 -current package:
1cc7ee6f2903a74660f4320c66fdf24e ap/mariadb-10.0.27-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg mariadb-10.0.27-i586-1_slack14.2.txz
Then, restart the database server:
# sh /etc/rc.d/rc.mysqld restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlfYUAAACgkQakRjwEAQIjOdhQCfYGvLdF3LQXF1OUPnDjdM3dJv
Fs4An0zqW0znP6BK3FBE2BLwgGYoC4bw
=dWeF
-----END PGP SIGNATURE-----