A security vuln in mysql and forks of it has been posted to oss security today: http://seclists.org/oss-sec/2016/q3/481 http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html This looks like a complicated issue. MySQL is not patched upstream yet and it sounds like this won't happen until their patch day end of october. Mariadb is supposed to be fixed since aug 30 (that'd probably be 10.1.17). I'm unsure if this is fixed in 10.0.x already (which is currently stable in gentoo). Percona is also affected. We only have testing keywords for percona-server and it's the latest version, so it's probably already okay.
As a note on severity in Gentoo, we install but do not use the mysqld_safe script by default. Instead we call mysqld directly which does not keep root privileges A user could call this, but our supplied init scripts do not. Also this is fixed in MariaDB 5.5.51, 10.0.27, 10.1.17
(In reply to Brian Evans from comment #1) > As a note on severity in Gentoo, we install but do not use the mysqld_safe > script by default. > I have to adjust that, the systemd service does call it. I have a new version of dev-db/mysql-init-scripts ready which does not
For dev-db/percona-server: $URL mentions: > The vulnerabilities were patched by PerconaDB and MariaDB vendors by > the end of 30th of August. But no commit could have been identified that such a fix was really released. Today an upstream bug report (https://bugs.launchpad.net/percona-server/+bug/1622603) was created to ask for clarification.
Transforming this bug report into a tracker bug...
CVE-2016-6652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6652): SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
(In reply to GLSAMaker/CVETool Bot from comment #5) > CVE-2016-6652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6652): > SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 > (Gosling > SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository > that > defines a String query using the @Query annotation, allows attackers to > execute arbitrary JPQL commands via a sort instance with a function call. My bad.
This issue was resolved and addressed in GLSA 201701-01 at https://security.gentoo.org/glsa/201701-01 by GLSA coordinator Thomas Deutschmann (whissi).