diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2012-April/014239.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2012-April/014239.html | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2012-April/014239.html b/zarb-ml/mageia-dev/2012-April/014239.html new file mode 100644 index 000000000..4c0f5141f --- /dev/null +++ b/zarb-ml/mageia-dev/2012-April/014239.html @@ -0,0 +1,136 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20mysql%20CVE%27s%20in%20mga1%20%3D%3E%20have%20it%20update%20to%20mariadb&In-Reply-To=%3Cloom.20120413T161621-537%40post.gmane.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="014233.html"> + <LINK REL="Next" HREF="014243.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb</H1> + <B>David Walser</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20mysql%20CVE%27s%20in%20mga1%20%3D%3E%20have%20it%20update%20to%20mariadb&In-Reply-To=%3Cloom.20120413T161621-537%40post.gmane.org%3E" + TITLE="[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb">luigiwalser at yahoo.com + </A><BR> + <I>Fri Apr 13 16:31:24 CEST 2012</I> + <P><UL> + <LI>Previous message: <A HREF="014233.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb +</A></li> + <LI>Next message: <A HREF="014243.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#14239">[ date ]</a> + <a href="thread.html#14239">[ thread ]</a> + <a href="subject.html#14239">[ subject ]</a> + <a href="author.html#14239">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>AL13N <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">alien at ...</A>> writes: +><i> 5. someone has a better idea? +</I>><i> +</I>><i> considering the response i got, now i'll default to letting someone else +</I>><i> handle it, which might mean it never gets fixed. that would also mean for +</I>><i> me that mageia1 would be a bad version to get LTS on. +</I> +The objections to this have been quite unwarranted. It sounds like some people +want to institute a new policy that MySQL security bugs won't be fixed. +Upgrading to newer versions of things isn't ideal, but sometimes it's what has +to be done, because there's no other way, and we already do it sometimes in +other cases. There's no reason this should be any more controversial. + +In researching this, it appears that for the security bugs in MySQL (and there +are many, at least one of which is remotely exploitable without +authentication), only the Oracle MySQL developers really know what the +vulnerabilities are and how they were fixed, and they're not telling. The most +recent MySQL changelog that referenced security vulnerabilities had no details, +and just mentioned two bug numbers. One of those bug numbers doesn't exist. +The other is not publicly viewable. + +At this point, upgrading is the only solution to these security problems, and +other distros have already realized this and updated to one of the newest +releases. Here are some examples. +RHEL6: +<A HREF="https://rhn.redhat.com/errata/RHSA-2012-0105.html">https://rhn.redhat.com/errata/RHSA-2012-0105.html</A> +<A HREF="https://rhn.redhat.com/errata/RHSA-2011-0164.html">https://rhn.redhat.com/errata/RHSA-2011-0164.html</A> +Fedora 15: +<A HREF="https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15">https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15</A> +Fedora 16: +<A HREF="https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16">https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16</A> +Mandriva Enterprise Server 5, Mandriva 2011, Mandriva 2010.2: +<A HREF="http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031">http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031</A> +Mandriva 2010.0, Mandriva 2010.1: +<A HREF="http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012">http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012</A> + +For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than +what those other distros have done. MariaDB is as much a newer version of what +we have now as MySQL 5.5.22 is. They are both derived from the same code base. +Furthermore, the other distros have been able to upgrade it apparently without +even having to rebuild anything else, so the potential for damage seems to not +be so great after all. + +Finally, someone made a comment about our reputation in this thread. If we +just ignore this and don't issue any security updates because it's "too hard" +or "too scary," that will hurt our reputation more than anything else. + +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="014233.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb +</A></li> + <LI>Next message: <A HREF="014243.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#14239">[ date ]</a> + <a href="thread.html#14239">[ thread ]</a> + <a href="subject.html#14239">[ subject ]</a> + <a href="author.html#14239">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |