Re: CVE Request: MySQL: MyISAM temporary file issue

[Loganaden Velvindron <loganaden () gmail com>]

On Thu, Sep 11, 2014 at 11:42 PM, Kurt Seifried <kseifried () redhat com> wrote:
> On 11/09/14 01:36 PM, Ritwik Ghoshal wrote:
> > On 9/11/2014 1:28 AM, Sven Kieske wrote:
> > > On 10/09/14 18:00, Salvatore Bonaccorso wrote:
> > > > Hi
> > > >
> > > > The changes for MySQL 5.5.39[1] and 5.6.20[2] contain a reference to
> > > > the following issue, which could be exploited by a local user to run
> > > > arbitrary code in context of the mysqld server.
> > >
> > > While I'm investigating this:
> > > Does someone happen to know in which version this vuln got introduced?
> >
> > A complete list of all affected-supported MySQL releases will be
> > published via Oracle's quarterly Critical Patch Update(CPU) advisory.
> > More information about our CPU program is available at -
> > http://www.oracle.com/technetwork/topics/security/alerts-086861.html
> >
> >
> > Thanks,
> > -Ritwik
>
> So you're saying you won't tell anyone until the middle of October? So
> we have to wait just under 3 months from the release of MySQL 5.5.39 to
> find out exactly what versions are affected by security flaws fixed in it?
>
> Are you serious?

Indeed. Given MySQL's widespread usage, we can't wait that long. Maybe
Oracle needs to review its policy for critical updates.


> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.