On Sun, 14 May 2017 07:36:24 -0700 Glen Glen wrote:
The recent update to mysql-community-server-5.6.36-24.3.3.x86_64 introduced a change to /usr/lib/mysql/mysql-systemd-helper:
# diff mysql-systemd-helper.old mysql-systemd-helper 168a169,171
# set the default umask bsc#1020976 umask 077
After this update, and a subsequent serve reboot, the permissions on /var/run/mysql (wherein lives the mysql.sock socket) changed from 0755 to 0700.
This promptly caused all of the application software and programs on my servers which communicate with MySQL to fail, with an "unable to connect" error.
chmod 755 /var/run/mysql fixed the immediate connection problem, and a very hacky change to systemd:
# diff mysql.service.old mysql.service 13a14
ExecStartPost=/usr/bin/chmod 755 /var/run/mysql
has made it persist between reboots.... for now.
I have read https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00036.html, which says:
This non-security issue was fixed: - Set the default umask to 077 in rc.mysql-multi [bsc#1020976]
So, I am trying to understand why this change was made (since I don't want to revert something deemed an issue) and what the correct response to this change should be. Should all my apps have "just worked anyway?" Is nobody else experiencing problems? Should I be doing something differently?
The programs I run were written by different teams, and run on different servers, and they *all* failed with this patch. I can't believe that I'm the only one affected by this, and am seeking to understand what I'm doing wrong that caused all my software to get tripped up by this change, and what the most correct fixes would be to compensate/adjust on my end.
Guidance, pointers, redirects all solicited and gratefully accepted!
Thanks so much! Glen Glen Barney
Hi Glen, https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00036.html says "Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4" This might explain why asking on this list is not bearing fruit. As for the origin of the update, there is this (reformatted for e-mail): From: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html - - - - - 8< - - - - - CVE# CVE-2017-3329 Component MySQL Server Sub-component Server: Audit Plug-in Protocol MySQL Protocol Remote Exploit without Auth.? No CVSS VERSION 3.0 RISK Base Score 7.5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Thread Pooling). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. -->(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Attack Vector Network Attack Complex Low Privs Req'd High User Interact None Scope Unchanged Confidentiality None Integrity None Availability High - - - - - 8< - - - - - I got the impression while drilling down to the above and reading through various items that many seemingly related (contemporaneous) changes appear, generally, to be addressing security & SSL & server 'hardening.' This is pure speculation on my part, but if the goal posts have been pushed forward by this process, you are likely going to have explain this latest change to your developers so they can revised their applications, accordingly. hth & regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org