maria-discuss team mailing list archive

Thread
Date

Re: Critical Update for CVE-2016-6662

To: Alex <imperialnetwork@xxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Tue, 13 Sep 2016 07:17:48 +0200
Cc: MariaDB Discuss <maria-discuss@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <723942b4-7e28-325a-4632-ae94308e3608@gmail.com>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi, Alex!

On Sep 13, Alex wrote:
>  From what i noticed , centos6 hosts that were on mysql 5.6 , or mariadb 
> 10.1.17 is using the mysqld_safe.
> Upgraded centos7 hosts , and mysqld_safe is no longer a running process 
> for mariadb 10.1.17.
> 
> Would this mean that only the hosts that do not run the mysqld_safe are 
> safe ?

No, that could be a coincidence.

It is true that the necessary part of the exploit is to run mysqld_safe.
If you use systemd - this particular exploit won't work.

But the vulnerability was fixed in 10.1.17, so even if you'd run
mysqld_safe in 10.1.17 - you would've been safe.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

Critical Update for CVE-2016-6662
From: Alex, 2016-09-12
Re: Critical Update for CVE-2016-6662
From: Sergei Golubchik, 2016-09-12
Re: Critical Update for CVE-2016-6662
From: Alex, 2016-09-12