SB2016101711 - Input validation error in mariadb (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2016-3477)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. Scores reflect additional information provided in http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3089849.xml: "Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server."

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=e2a1cee9f1898c64ed1488ea86e2142e8f02387c
• https://git.alpinelinux.org/aports/commit/?id=d6a52aeca469fc2b01a3dec952226419c9ae2a8b