CVE-2016-6662

Published: 12 September 2016

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
mariadb-10.0 Launchpad, Ubuntu, Debian	Upstream	Released (10.0.27)

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (10.0.27-0ubuntu0.16.04.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
mariadb-5.5 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [5.5.52-1ubuntu0.14.04.1])
mysql-5.5 Launchpad, Ubuntu, Debian	Upstream	Released (5.5.52)

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (5.5.52-0ubuntu0.14.04.1)
mysql-5.6 Launchpad, Ubuntu, Debian	Upstream	Released (5.6.33)

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [5.6.33-0ubuntu0.14.04.1])
mysql-5.7 Launchpad, Ubuntu, Debian	Upstream	Released (5.7.15)

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (5.7.15-0ubuntu2)
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (5.7.15-0ubuntu0.16.04.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
mysql-8.0 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 21.04 (Hirsute Hippo)	Not vulnerable
	Ubuntu 20.04 LTS (Focal Fossa)	Not vulnerable
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
percona-server-5.6 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Ignored (end of standard support, was needed)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
percona-xtradb-cluster-5.5 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was needed)
percona-xtradb-cluster-5.6 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (5.6.34-26.19-0ubuntu0.16.04.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist

References

Bugs

https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6662

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›