[ALUG] MySQL Remote Root Code Execution Vulnerability

Andreas Tauscher ta at geuka.net
Wed Sep 14 23:45:43 EAT 2016


Interesting here again Oracle and timing.

The CVE record was created 10. August. Without any public accessible data.
More detailed information what CVE-2016-6662 an CVE-2016-6663 is was
published yesterday.

What I read out of the change logs of MariaDB, Percona Server and MySQL:

MariaDB released the fixed version 5.5.51 on 10. August and for 10.0 on
the 25. August. (The 10 series is based on MySQL 5.5 with backports from
MySQL 5.6 and a bunch of extensions)

Percona released the fixed Percona Server 5.5.51-38.1 (based on MySQL)
on the 19. August. From Percona I go a mail about CVE-2016-6662 and the
advice to update ASAP on the 12. September.

Oracle released the fixed MySQL 5.5.52 on 6. September.

Nearly a miracle Oracle managed it to release a bug fix before details
are published. Not usual for them. Can take some years....

Beside some other nice features and storage engines MariaDB has over
MySQL this timing and what I read in the change logs are more reasons to
replace the last running MySQL servers I have to MariaDB.


Oracle becoming for me really a red flag.
Had lately a SunFire server on the table. The built in remote management
software has some issues which can be rated as critical.
Oracle released a update last year. BUT: The update for the management
processor firmware you get only with a service contract subscription.
Minimum annual fee: 960$
Are they nuts? Selling hardware more overpriced than Apple, charging
annual licence fees per CPU their software is running on top of the
buying price and on top of this you need support subscriptions reaching
even on quite small installations easy 10k$+ per year....

Apropos updating:
Adobe released today (like all over every month but surprisingly no last
month! Marking this in red in the calendar ;>) a update for the Flashplayer.
This month they are fixing 26 critical bugs. Also not a unusual number.
This month again the full program. From DOS to remote code execution.
I really believe this crap has more bugs than lines of code.
So if you are still using this nonsense make sure on Windows or Mac you
have version 23.0.0.162 or 18.0.0.375 and on Linux 11.2.202.635.
Unfortunate some sites and applications have still not recognised that
flash is a since 10 years obsolete and dead technology.....

And Microsoft released today 13 updates plus the update for flash. 7 of
the updates are critical.
This is today also the last patchday where you had the choice to install
a update or not. From next month it will be like for Win10:
It is one update file and you must install it, you can maximum delay it.
No way to select which updates to install and which not.
Security updates and spyware like the voice search coming in on update.
Now getting also the older versions really unacceptable....

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20160914/69014cbe/attachment.pgp>


More information about the Linux mailing list