maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #03942
Re: Critical Update for CVE-2016-6662
Am 12.09.2016 um 20:25 schrieb Sergei Golubchik:
Hi, Alex!
On Sep 12, Alex wrote:
Hello,
In regards to this zero day remote exploit , it seems MariaDB is also
affected. Percona seems to have released new versions out to fix this.
Any news from MariaDB side ?
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
Yes, it was https://jira.mariadb.org/browse/MDEV-10465,
fixed in 5.5.51, 10.0.27, 10.1.17, all released last month
thanks
but "MySQL-Exploit-Remote-Root-Code-Execution" is written by fools - how
would a mysqld running as restricted user get root-privileges without
any additional kernel-bug and who right in his mind is running mysqld as
root where with port 3306 it donÄt need that privileges even for startup?
[root@srv-rhsoft:~]$ cat /usr/lib/systemd/system/mysqld.service
[Unit]
Description=MariaDB Database
Before=postfix.service dovecot.service dbmail-imapd.service
dbmail-lmtpd.service dbmail-pop3d.service dbmail-timsieved.service
[Service]
Type=simple
User=mysql
Group=mysql
ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf
--pid-file=/dev/null
ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
TimeoutSec=300
LimitNOFILE=infinity
LimitMEMLOCK=infinity
OOMScoreAdjust=-1000
TasksMax=2048
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE
CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SETGID
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
delete_module fanotify_init finit_module get_mempolicy init_module kcmp
kexec_load keyctl lookup_dcookie mbind mount open_by_handle_at
perf_event_open pivot_root process_vm_readv process_vm_writev ptrace
request_key set_mempolicy swapoff swapon umount2 uselib vmsplice
RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_INET AF_INET6
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=/var/lib/mysql
Follow ups
References