Security update re CVE-2016-6662

MySQL & MariaDB Percona XtraDB Cluster 5.x
1

We’ve just received an email (from Percona, thanks guys!) alerting us to CVE-2106-6662, and that we should be running 5.6.32-78.0 or higher Being the good peope we are, we immediately went and tried to update our Percona servers…

[root@cluster-db-1 ~]# rpm -qa | grep Perc
Percona-XtraDB-Cluster-server-56-5.6.30-25.16.1.el7.x86_64
Percona-XtraDB-Cluster-client-56-5.6.30-25.16.1.el7.x86_64
Percona-XtraDB-Cluster-shared-56-5.6.30-25.16.1.el7.x86_64
Percona-XtraDB-Cluster-56-5.6.30-25.16.1.el7.x86_64
Percona-XtraDB-Cluster-galera-3-3.16-1.rhel7.x86_64
Percona-XtraDB-Cluster-devel-56-5.6.30-25.16.1.el7.x86_64
[root@cluster-db-1 ~]# yum clean metadata
Loaded plugins: fastestmirror
Cleaning repos: base epel extras percona-release-noarch percona-release-x86_64 sensu updates
21 metadata files removed
14 sqlite files removed
0 metadata files removed
[root@cluster-db-1 ~]# yum update
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
epel/x86_64/metalink | 8.8 kB 00:00:00
epel | 4.3 kB 00:00:00
extras | 3.4 kB 00:00:00
percona-release-noarch | 2.4 kB 00:00:00
percona-release-x86_64 | 2.5 kB 00:00:00
sensu | 2.5 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/10): base/7/x86_64/group_gz | 155 kB 00:00:00
(2/10): epel/x86_64/group_gz | 170 kB 00:00:00
(3/10): epel/x86_64/updateinfo | 622 kB 00:00:00
(4/10): percona-release-noarch/7/primary_db | 13 kB 00:00:00
(5/10): percona-release-x86_64/7/x86_64/primary_db | 332 kB 00:00:00
(6/10): extras/7/x86_64/primary_db | 160 kB 00:00:00
(7/10): sensu/x86_64/primary_db | 38 kB 00:00:00
(8/10): base/7/x86_64/primary_db | 5.3 MB 00:00:01
(9/10): epel/x86_64/primary_db | 4.2 MB 00:00:00
(10/10): updates/7/x86_64/primary_db | 7.1 MB 00:00:01
Loading mirror speeds from cached hostfile
* base: mirror.steadfast.net
* epel: mirror.steadfast.net
* extras: mirror.steadfast.net
* updates: mirror.steadfast.net
No packages marked for update
[root@cluster-db-1 ~]#

Has someone forgotten to move the new RPMs out of testing? 8)

2

Hello,

will be this update also available for Percona XtraDB Cluster? We are currently using latest version available 5.5.41. Is there a plan to implenet security fixes and new features also in MySQL product line 5.5?

Thanks in advance

Pavel

3

the email you received likely states on Percona Server and not XtraDB Cluster. It will come out after they give it a good testing.

4

Hi Pavel and Rob,

shockwavecs is correct.

Here is a blog post concerning the CVE-2016-6662 vulnerability: [url]https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/[/url]

The update for Percona XtraDB Cluster is planned, but not yet released.

5

Hi everyone,

Excuse me if this is the wrong place to ask this but following the blog post regarding the CVE-2016-6662 vulnerability, we are currently using Percona-XtraDB-Cluster-server-56-5.6.26. After checking for an update i get this output

Is there a guide for a safe upgrade from 5.6.26 to 5.6.30 or do i even need one? Can you provide advice on how to proceed on updating a production cluster, should i do a rolling upgrade or bring down the whole cluster before doing the update

Thanks for the time

Regards
Zoe

6

This package is still affected by the CVE bug. So you’ll have to upgrade twice. We are waiting for the fixed one (could be 5.6.30 or higher).

For the upgrade, it’s pretty strait forward, but you can check if there is specific changes by looking at the MySQL changelog between 5.6.26 and 5.6.30. Then you just upgrade one node at a time, and do wait for the node to be in sync again. The best way to check this is to

tail -f /var/log/mysql/mysql.log

and wait for the line

WSREP: Shifting JOINED -> SYNCED

. You also have some tutorials on this very website.

7

It seems that 5.6.30-25.16-2.jessie has just been set to Debian’s repository. Thanks!