Also weil es gibt noch keinen HILFE wen aber MYSQL dan aufpassen.
http://legalhackers.com/advisories/MyS…-2016-6662.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
Wen MARIADB hat bereits in den
ZitatIt (CVE-2016-6662) is fixed in MariaDB 5.5.51, MariaDB 10.0.27 and MariaDB 10.1.17 - wich all are available in
Ich schreibe es hier weil vielen mit ältere Server oft dazu noch ältere MYSQL im einsatz haben.
Weiter den:
ZitatI think also important to keep a eye on CVE-2016-6663 vulnerability
ZitatAlles anzeigenVII. BUSINESS IMPACT
-------------------------As discussed above the vulnerability could be exploited by attackers with both
privileged and unprivileged (with FILE privilege only) access to mysql accounts.
It could also be combined with CVE-2016-6663 vulnerability which will be released
shortly and could allow certain attackers to escalate their privileges to root
even without FILE privilege.The vulnerability could also be exploited via an SQL injection vector, which
removes the need for the attackers to have direct mysql connection and increases
the risk of exploitation.Successful exploitation could gain a attacker a remote shell with root privileges
which would allow them to fully compromise the remote system.If exploited, the malicious code would run as soon as MySQL daemon gets
restarted. MySQL service restart could happen for a number of reasons.
Aja info MariaDB:
https://mariadb.com/kb/en/mariadb/security/
Weil ZERO DAY BEIDES!
http://www.tecklyfe.com/tag/cve-2016-6663/
ZitatMySQL Zero-Day Allows An Attacker To Take Full Control Of Database
Also noch ein extra Grund kein MYSQL mehr zu benutzen oder?
ZitatWhile MariaDB and PerconaDB have fixed the vulnerabilities and Oracle has not, the researcher today has gone ahead and published the proof-of-concept exploit code for CVE-2016-6662.
The last Critical Patch Update (CPU) released by Oracle was on July
19, 2016. Oracle is on a strict security update release schedule that
rolls out once every three months and the next Oracle CPU update is
scheduled for October 18, 2016.