GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Nov 11, 2017 12:26 am Post subject: [ GLSA 201711-04 ] MariaDB, MySQL |
 |
|
Gentoo Linux Security Advisory
Title: MariaDB, MySQL: Root privilege escalation (GLSA 201711-04)
Severity: normal
Exploitable: remote
Date: 2017-11-10
Bug(s): #635704, #635706
ID: 201711-04
Synopsis
A vulnerability was discovered in MariaDB and MySQL which may allow
local users to gain root privileges.
Background
MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an
enhanced, drop-in replacement for MySQL.
Affected Packages
Package: dev-db/mariadb
Vulnerable: < 10.0.30-r1
Unaffected: >= 10.0.30-r1
Architectures: All supported architectures
Package: dev-db/mysql
Vulnerable: < 5.6.36-r1
Unaffected: >= 5.6.36-r1
Architectures: All supported architectures
Description
The Gentoo installation scripts before 2017-09-29 have chown calls for
user-writable directory trees, which allows local users to gain
privileges by leveraging access to the mysql account for creation of a
link.
Impact
A local attacker could escalate privileges to root.
Workaround
There is no known workaround at this time.
Resolution
All MariaDB users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.0.30-r1"
|
All MySQL users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.36-r1"
|
References
CVE-2017-15945
Last edited by GLSA on Mon Jan 15, 2018 4:16 am; edited 1 time in total |
|
News & Announcements
