CVE-2016-6662: Remote Root Code Execution / Privilege Escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS |
Fix Released
|
Undecided
|
Unassigned | ||
Gentoo Linux |
Unknown
|
Unknown
|
Bug Description
According to
http://
Percona MySQL Server is vulnerable to a remote root exploit discussed there (inclusing PoC).
The advisory states that the following versions are affected:
> MySQL <= 5.7.15
> 5.6.33
> 5.5.52
It further states:
> The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team.
> It was also reported to the other affected vendors including PerconaDB and MariaDB.
>
> The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August.
> During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers.
Looking at Percona Server 5.7 release notes at
https:/
the latest available release (at the time of writing) is Percona Server 5.7.14-7, released on August 23rd, 2016. The release notes for this particular version do not reference CVE-2016-6662.
Is it correct that there is currently no patched release available for Percona (MySQL) Server?
Which mitigation strategies (other than what is discussed in the researchers' advisory) do you recommend?
While this is a bug report which refers to a security vulnerability, please do keep it open to the public since this is already public information. (I will post it privately so as to notify your security team, then make it public if Launchpad allows me to do so.)
Thank you.
On Gentoo we migrated the old bug report into a tracker bug; Updating remote watch to reflect the new bug report for dev-db/ percona- server on Gentoo.