Ubuntu
libdbd-mysql-perl package

Please add patch for CVE-2016-1246 buffer overflow

Bug #1632833 reported by MichielBeijen
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libdbd-mysql-perl (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hi, I'm the upstream maintainer of DBD::mysql which is packaged in Ubuntu as libdbd-mysql-perl.

Please note there was a buffer overflow vulnerability discovered and patched with CVE-2016-1246. Debian backported the patch to Jessie:

http://metadata.ftp-master.debian.org/changelogs//main/libd/libdbd-mysql-perl/libdbd-mysql-perl_4.028-2+deb8u2_changelog

But the version in Xenial and Trusty still contains the issue.

Revision history for this message
MichielBeijen (michiel-beijen) wrote :

See also https://www.debian.org/security/2016/dsa-3684 (where they misspelled the name of the incident reporter - Pali Rohár)

and this announcement by me:
http://blogs.perl.org/users/mike_b/2016/10/security-release---buffer-overflow-in-dbdmysql-perl-library.html

Also, I did send email about this to the oss-security mailing list. Does Ubuntu not follow this list? Patches were in Debian and Fedora pretty soon.

ref: http://seclists.org/oss-sec/2016/q4/13

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Untested pre-release packages are available in the security team PPA:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

They will be released as security updates once they've been through QA,
possibly next week.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Updated have been published. Thanks!

information type: Private Security → Public Security
Changed in libdbd-mysql-perl (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.