Bug 1414386
Summary: | CVE-2017-3265 community-mysql: various flaws [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Mariš <amaris> |
Component: | community-mysql | Assignee: | Michal Schorm <mschorm> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 25 | CC: | hhorak, jstanek, mschorm, thoger |
Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-04-29 01:56:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1414423 |
Description
Adam Mariš
2017-01-18 11:53:59 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1414335,1414337,1414338,1414342,1414350,1414351,1414352,1414353,1414355,1414357,1414386 # Description of your update notes=Security fix for CVE-2016-8318, CVE-2016-8327, CVE-2017-3238, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3273, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318 # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new Adding parent bug 1414133 (for CVE-2017-3312). Please use this new fedpkg update template when submitting the update: ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1414386,1414335,1414337,1414338,1414342,1414350,1414351,1414352,1414353,1414355,1414357,1414133 # Description of your update notes=Security fix for CVE-2016-8318, CVE-2016-8327, CVE-2017-3238, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3273, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3312 # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Adding parent bug 1414423 (for CVE-2017-3265). Please use this new fedpkg update template when submitting the update: ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1414386,1414133,1414335,1414337,1414338,1414342,1414350,1414351,1414352,1414353,1414355,1414357,1414423 # Description of your update notes=Security fix for CVE-2017-3312, CVE-2016-8318, CVE-2016-8327, CVE-2017-3238, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3273, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3265 # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Adding parent bug 1414429 (for CVE-2017-3291). Please use this new fedpkg update template when submitting the update: ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1414386,1414133,1414335,1414337,1414338,1414342,1414350,1414351,1414352,1414353,1414355,1414357,1414423,1414429 # Description of your update notes=Security fix for CVE-2017-3312, CVE-2016-8318, CVE-2016-8327, CVE-2017-3238, CVE-2017-3244, CVE-2017-3257, CVE-2017-3258, CVE-2017-3273, CVE-2017-3313, CVE-2017-3317, CVE-2017-3318, CVE-2017-3265, CVE-2017-3291 # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== mysql 5.7.18 not yet available. Waiting for release and changelog. https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html Update, thanks to Norvald: All the CVEs listed are fixed in 5.7.17, cf. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL The Critical Patch Update says that, in addition to the CVEs mentioned in the bug report, these CVEs are also fixed in 5.7.17: CVE-2017-3251 CVE-2017-3256 CVE-2017-3319 CVE-2017-3320 Norvald H. Ryeng Note that CVE-2017-3265 is not fixed in Fedora. The flaw exists in the upstream init script that is not used in Fedora packages, however, mysql-prepare-db-dir is derived from it and includes the vulnerable code. Additionally, systemd service file includes PermissionsStartOnly=true, so the mysql-prepare-db-dir run as ExecStartPre is run with root privileges, which is a difference form mariadb packages. It would be non-issue if the script was run as mysql. community-mysql-5.7.18-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ef6bed485e community-mysql-5.7.18-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fe6e14dcf9 community-mysql-5.7.18-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fedb9890c community-mysql-5.7.18-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ef6bed485e community-mysql-5.7.18-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fe6e14dcf9 community-mysql-5.7.18-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fedb9890c community-mysql-5.7.18-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. community-mysql-5.7.18-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. community-mysql-5.7.18-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |