Oracle Critical Patch Update for MySQL

Oracle has released the Critical Patch Update (CPU) for July 2014. The Oracle MySQL Risk Matrix lists 10 security fixes.

It took me some time to understand the subcomponent names. So here is the list with the full name of each subcomponent:

Subcomponent	Full name
SRFTS	Server: Full Text Search
SRINFOSC	Server: INFORMATION_SCHEMA
SRCHAR	Server: Character sets
ENARC	Engine: Archive
SROPTZR	Server: Optimizer
SRREP	Server: Replication
SRSP	Server: Stored Procecure
ENFED	Engine: Federated

I don't think there is anything really important in the list, but it might be a good trigger to update to the latest release.

Upgrading should be easy especially if you're using the APT or YUM repositories from Oracle. If you're upgrading to a new major release (e.g. from 5.5 to 5.6) then you should read the instructions in the reference manual.

MySQL in Oracle Critical Patch Update Advisory January 2014

Oracle has released the Critical Patch Update (CPU) advisory for January 2014.

The affected MySQL products are:

• Oracle MySQL Enterprise Monitor, versions 2.3, 3.0 

• Oracle MySQL Server, versions 5.1, 5.5, 5.6

So this means that you should consider updating MySQL. For MySQL Enterprise the updates should be available on My Oracle Support and for the Community version the new versions are on the regular download locations. I guess the official repositories are already updated.

For MySQL 5.6 you should upgrade to 5.6.15
For MySQL 5.5 you should upgrade to 5.5.35
For MySQL 5.1 you should upgrade to 5.1.73

If you use the MySQL release from your distribution you should ask them to fix the CVE numbers fixed in these releases (if they didn't do that already).

The highest CVSS score for MEM is 10 and for MySQL the highest score is 6.8.

Update: for more information see this blog post by Dave Stokes.