This blog is an announcement for a Percona Server update with regards to CVE-2016-6662.
We have added a fix for CVE-2016-6662 in the following releases:
- Percona Server 5.5.51-38.1
- Percona Server 5.5.51-38.2
- Percona Server 5.6.32-78.0
- Percona Server 5.6.32-78.1
- Percona Server 5.7.14-7
- Percona Server 5.7.14-8
- Percona XtraDB Cluster 5.5.41-25.12
- Percona XtraDB Cluster 5.6.30-25.16.2
- Percona XtraDB Cluster 5.6.30-25.16.3
An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662. The vulnerability affects MySQL servers in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers.
Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors. Successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running.
This is a CRITICAL update, and the fix mitigates the potential for remote root code execution.
We encourage our users to update to the latest version of their particular fork as soon as possible, ensuring they have appropriate change management procedures in place beforehand so they can test the update before placing it into production.
Percona would like to thank Dawid Golunski of http://legalhackers.com/ for disclosing this vulnerability in the MySQL software, and working with us to resolve this problem.
What about the Percona-XtraDB-Cluster package?
Ah So I’m not the only one. I thought I had caching issues somewhere or something. But it seems XtraDB has not been patched yet.
+1
+1
+1
This should be pattched in 5.5.41-25.11.1 onward for PXC (https://www.percona.com/blog/2016/09/22/percona-xtradb-cluster-5-5-41-25-11-1-is-now-available/)
Just curious if Percona XtraDB Cluster is also affected… And when to expect patches, if yes.
This should be patched in 5.5.41-25.11.1 onward for PXC (https://www.percona.com/blog/2016/09/22/percona-xtradb-cluster-5-5-41-25-11-1-is-now-available/)
@Remco
As confirmed by percona in mail to users, For that release will come next week.
What about those who were already on percona 5.7.14 7 before this Announcement .Was earlier Binary already patched or need to re download latest binaries.
We ran into memory issues after going from 5.6.23 to this patch. Suspect a memory leak.
How did you identify this? Is this potential bug tracked elsewhere?
It appears that we ran into a memory leak as well.
Yep. I already narrowed it to this 5.6.32-78.0 update. There is no such memory leak in 5.6.31-77.0. Somebody also reported the similar problem for 5.7: https://www.percona.com/forums/questions-discussions/mysql-and-percona-server/percona-server-5-7/45836-memory-usage-and-swap-usage-percona-server-5-7-mysql-5-7
Anyone affected by this memory leak – are you using the audit log plugin?
Anybody is using the audit log plugin?
The link for “Percona Server 5.6.32-78.1” is not correct!