Overview

File _patchinfo of Package patchinfo.6697

<patchinfo incident="6697">
  <issue id="1020976" tracker="bnc">root umask 077 screws up the /etc/init.d/mysql init script</issue>
  <issue id="1022428" tracker="bnc">VUL-0: CVE-2017-3302: mariadb: Use after free in libmysqlclient.so</issue>
  <issue id="1029014" tracker="bnc">VUL-0: CVE-2016-5483: mysql: mysqldump: arbitrary SQL-queries and shell commands execution</issue>
  <issue id="1029396" tracker="bnc">VUL-0: CVE-2017-3305: mysql, mariadb: MySQL client send authentication request unencrypted even if SSL is REQUIRED (RIDDDLE.LINK)</issue>
  <issue id="1034850" tracker="bnc">VUL-0: mysql: April 2017 security update to 5.5.55</issue>
  <issue id="889126" tracker="bnc">MariaDB config files not seen by Unix non-root users. Permission Problem in Package</issue>
  <issue id="2016-5483" tracker="cve" />
  <issue id="2017-3302" tracker="cve" />
  <issue id="2017-3305" tracker="cve" />
  <issue id="2017-3308" tracker="cve" />
  <issue id="2017-3309" tracker="cve" />
  <issue id="2017-3329" tracker="cve" />
  <issue id="2017-3450" tracker="cve" />
  <issue id="2017-3452" tracker="cve" />
  <issue id="2017-3453" tracker="cve" />
  <issue id="2017-3456" tracker="cve" />
  <issue id="2017-3461" tracker="cve" />
  <issue id="2017-3462" tracker="cve" />
  <issue id="2017-3463" tracker="cve" />
  <issue id="2017-3464" tracker="cve" />
  <issue id="2017-3599" tracker="cve" />
  <issue id="2017-3600" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>kstreitova</packager>
  <description>
This update for mysql-community-server to version 5.6.36 fixes the following issues:

These security issues were fixed:

- CVE-2016-5483: Mysqldump failed to properly quote certain identifiers in SQL statements written to the dump output, allowing for execution of arbitrary commands (bsc#1029014)
- CVE-2017-3305: MySQL client sent authentication request unencrypted even if SSL was required (aka Ridddle) (bsc#1029396).
- CVE-2017-3308: Unspecified vulnerability in Server: DML (boo#1034850)
- CVE-2017-3309: Unspecified vulnerability in Server: Optimizer (boo#1034850)
- CVE-2017-3329: Unspecified vulnerability in Server: Thread (boo#1034850)
- CVE-2017-3453: Unspecified vulnerability in Server: Optimizer (boo#1034850)
- CVE-2017-3456: Unspecified vulnerability in Server: DML (boo#1034850)
- CVE-2017-3461: Unspecified vulnerability in Server: Security (boo#1034850)
- CVE-2017-3462: Unspecified vulnerability in Server: Security (boo#1034850)
- CVE-2017-3463: Unspecified vulnerability in Server: Security (boo#1034850)
- CVE-2017-3464: Unspecified vulnerability in Server: DDL (boo#1034850)
- CVE-2017-3302: Crash in libmysqlclient.so (bsc#1022428).
- CVE-2017-3450: Unspecified vulnerability Server: Memcached
- CVE-2017-3452: Unspecified vulnerability Server: Optimizer
- CVE-2017-3599: Unspecified vulnerability Server: Pluggable Auth
- CVE-2017-3600: Unspecified vulnerability in Client: mysqldump (boo#1034850)
- '--ssl-mode=REQUIRED' can be specified to require a secure connection (it fails if a secure connection cannot be obtained)

These non-security issues were fixed:

- Set the default umask to 077 in mysql-systemd-helper (boo#1020976)
- Change permissions of the configuration dir/files to 755/644.
  Please note that storing the password in the /etc/my.cnf file is
  not safe. Use for example an option file that is accessible only
  by yourself (boo#889126)

For more information please see http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-36.html
</description>
  <summary>Security update for mysql-community-server</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places