Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 616486 (CVE-2017-3308, CVE-2017-3309, CVE-2017-3329, CVE-2017-3450, CVE-2017-3452, CVE-2017-3453, CVE-2017-3456, CVE-2017-3461, CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3599, CVE-2017-3600)

Summary: <dev-db/mysql-5.6.36: multiple vulnerabilities (CPU Apr 2017)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: mysql-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 625626    
Bug Blocks: 627892    

Description Agostino Sarubbo gentoo-dev 2017-04-24 11:54:11 UTC
Details at $URL.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2017-05-08 17:53:13 UTC
@ Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mysql-5.6.36 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

# Official test instructions:
# USE='server embedded extraengine perl openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mysql-5.6.36.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 05:46:34 UTC
Brian, does the stabilization cover the blocking bug, or should we split them up? (if it does we will just this one to be blocker).
Comment 3 Brian Evans (RETIRED) gentoo-dev 2017-05-09 12:25:28 UTC
(In reply to Yury German from comment #2)
> Brian, does the stabilization cover the blocking bug, or should we split
> them up? (if it does we will just this one to be blocker).

Yes, according to the Oracle advisory link, CVE-2017-3305 affects <=5.5.55 and <=5.6.35
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-05-10 10:53:52 UTC
Stable for HPPA.
Comment 5 Markus Meier gentoo-dev 2017-05-13 06:26:03 UTC
arm stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-05-15 11:21:41 UTC
ppc ppc64 stable.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-22 17:32:32 UTC
Stable on alpha.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-25 10:26:06 UTC
ia64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-16 09:41:15 UTC
Stable on amd64.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-08-15 04:45:20 UTC
Finishing stabilization in bug #625626
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2018-02-20 00:59:54 UTC
This issue was resolved and addressed in
 GLSA 201802-04 at
by GLSA coordinator Thomas Deutschmann (whissi).