Security update for percona-toolkit, xtrabackup SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0472-1 Final 1 1 2015-03-03T15:21:17Z current 2015-03-03T15:21:17Z 2015-03-03T15:21:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for percona-toolkit, xtrabackup Percona Toolkit and XtraBackup were updated to fix bugs and security issues. Percona XtraBackup was vulnerable to MITM attack which could allow exfiltration of MySQL configuration information via the --version-check option. [boo#919298] CVE-2015-1027 lp#1408375. The openSUSE package has the version check disabled by default. Percona Toolkit was updated to 2.2.13: * Feature lp#1391240: pt-kill added query fingerprint hash to output * Fixed lp#1402668: pt-mysql-summary fails on cluster in Donor/Desynced status * Fixed lp#1396870: pt-online-schema-change CTRL+C leaves terminal in inconsistent state * Fixed lp#1396868: pt-online-schema-change --ask-pass option error * Fixed lp#1266869: pt-stalk fails to start if $HOME environment variable is not set * Fixed lp#1019479: pt-table-checksum does not work with sql_mode ONLY_FULL_GROUP_BY * Fixed lp#1394934: pt-table-checksum error in debug mode * Fixed lp#1321297: pt-table-checksum reports diffs on timestamp columns in 5.5 vs 5.6 * Fixed lp#1399789: pt-table-checksum fails to find pxc nodes when wsrep_node_incoming_address is set to AUTO * Fixed lp#1388870: pt-table-checksum has some errors with different time zones * Fixed lp#1408375: vulnerable to MITM attack which would allow exfiltration of MySQL configuration information via --version-check [boo#919298] [CVE-2015-1027] * Fixed lp#1404298: missing MySQL5.7 test files for pt-table-checksum * Fixed lp#1403900: added sandbox and fixed sakila test db for 5.7 Percona XtraBackup was updated to version 2.2.9: * xtrabackup_galera_info file isn't overwritten during the Galera auto-recovery. lp#1418584. * Percona XtraBackup now sets the maximum supported session value for lock_wait_timeout variable to prevent unnecessary timeouts when the global value is changed from the default. lp#1410339. * New option --backup-locks, enabled by default, has been implemented to control if backup locks will be used even if they are supported by the server. To disable backup locks innobackupex should be run with innobackupex --no-backup-locks option. lp#1418820. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-03/msg00030.html E-Mail link for openSUSE-SU-2015:0472-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings percona-toolkit-2.2.13-2.14.1 xtrabackup-2.1.8-25.1 The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response could be modified to allow the attacker to respond with modified command payload and have the client return additional running configuration information leading to an information disclosure of running configuration of MySQL. CVE-2015-1027 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00030.html https://www.suse.com/security/cve/CVE-2015-1027.html CVE-2015-1027 https://bugzilla.suse.com/919298 SUSE Bug 919298