Sicherheit: Ausführen beliebiger Kommandos in mysql-mmm
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in mysql-mmm
ID: FEDORA-2018-ca5321b5ff
Distribution: Fedora
Plattformen: Fedora 28
Datum: Di, 15. Mai 2018, 22:32
Referenzen: https://bugzilla.redhat.com/show_bug.cgi?id=1575161
Applikationen: mysql-mmm


Fedora Update Notification
2018-05-15 20:03:56.912735

Name : mysql-mmm
Product : Fedora 28
Version : 2.2.1
Release : 20.fc28
URL : http://mysql-mmm.org
Summary : Multi-Master Replication Manager for MySQL
Description :
MMM (MySQL Master-Master Replication Manager) is a set of flexible scripts
to perform monitoring/failover and management of MySQL Master-Master
replication configurations (with only one node writable at any time). The
toolset also has the ability to read balance standard master/slave
configurations with any number of slaves, so you can use it to move virtual
IP addresses around a group of servers depending on whether they are behind
in replication. In addition to that, it also has scripts for data backups,
resynchronization between nodes etc.

Update Information:

# Multi-Master Replication Manager for MySQL mmm_agentd Remote Command
Vulnerabilities This update adds data sanitization to inputs for the mmm
Multiple exploitable remote command injection vulnerabilities exist in the
Master-Master Replication Manager (MMM) mmm_agentd daemon 2.2.1. mmm_agentd
commonly runs with root privileges and does not require authentication by
default. A specially crafted MMM protocol message can cause a shell command
injection resulting in arbitrary command execution with the privileges of the
mmm_agentd process. An attacker that can initiate a TCP session with mmm_agentd
can trigger these vulnerabilities. The impact of these vulnerabilities can be
lessened by configuring mmm_agentd to require TLS mutual authentication and by
using network ACLs to prevent hosts other than legitimate mmm_mond hosts from
accessing mmm_agentd. For example on Linux iptables rules can be used to block
access to the port mmm_agent is listening on from all hosts except the
mmm_monitor. The configuration of ssl can be used where firewall rules are not
practical. See Socket Documentation http://mysql-mmm.org/mysql-mmm.html#SEC58
Add to mmm_common.conf <socket> type ssl cert_file
/etc/ssl/certs/www.example.com.bundle.crt key_file
/etc/ssl/certs/www.example.com.key ca_file /etc/ssl/certs/ca-bundle.crt
# or ca-certificates.crt </socket> Now only those with access to the
private key can send commands. Whilst your web server certificate will do the
job, you may consider registering a dedicated certificate just for this task.
NOTE: By now there are a some good alternatives to MySQL-MMM. Maybe you
want to check out Galera Cluster which is part of MariaDB Galera Cluster
and Percona XtraDB Cluster. - http://mysql-mmm.org - http://galeracluster.com/
- https://mariadb.com/kb/en/library/what-is-mariadb-galera-cluster/ -

* Wed May 2 2018 David Beveridge <dave@bevhost.com> 2.2.1-20
- Patch for mmm_agentd Remote Command Injection Vulnerabilities
- TALOS-2017-0501, CVE-2017-14474 - CVE-2017-14481
* Thu Feb 8 2018 Fedora Release Engineering <releng@fedoraproject.org> -
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

[ 1 ] Bug #1575161

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-ca5321b5ff' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Pro-Linux @Twitter
Neue Nachrichten