From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2012-April/014239.html | 136 ++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 zarb-ml/mageia-dev/2012-April/014239.html (limited to 'zarb-ml/mageia-dev/2012-April/014239.html') diff --git a/zarb-ml/mageia-dev/2012-April/014239.html b/zarb-ml/mageia-dev/2012-April/014239.html new file mode 100644 index 000000000..4c0f5141f --- /dev/null +++ b/zarb-ml/mageia-dev/2012-April/014239.html @@ -0,0 +1,136 @@ + + + + [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb + + + + + + + + + +

[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb

+ David Walser + luigiwalser at yahoo.com +
+ Fri Apr 13 16:31:24 CEST 2012 +

+
+ +
AL13N <alien at ...> writes:
+> 5. someone has a better idea?
+> 
+> considering the response i got, now i'll default to letting someone else
+> handle it, which might mean it never gets fixed. that would also mean for
+> me that mageia1 would be a bad version to get LTS on.
+
+The objections to this have been quite unwarranted.  It sounds like some people
+want to institute a new policy that MySQL security bugs won't be fixed.
+Upgrading to newer versions of things isn't ideal, but sometimes it's what has
+to be done, because there's no other way, and we already do it sometimes in
+other cases.  There's no reason this should be any more controversial.
+
+In researching this, it appears that for the security bugs in MySQL (and there
+are many, at least one of which is remotely exploitable without
+authentication), only the Oracle MySQL developers really know what the
+vulnerabilities are and how they were fixed, and they're not telling.  The most
+recent MySQL changelog that referenced security vulnerabilities had no details,
+and just mentioned two bug numbers.  One of those bug numbers doesn't exist.
+The other is not publicly viewable.
+
+At this point, upgrading is the only solution to these security problems, and
+other distros have already realized this and updated to one of the newest
+releases.  Here are some examples.
+RHEL6:
+https://rhn.redhat.com/errata/RHSA-2012-0105.html
+https://rhn.redhat.com/errata/RHSA-2011-0164.html
+Fedora 15:
+https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15
+Fedora 16:
+https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16
+Mandriva Enterprise Server 5, Mandriva 2011, Mandriva 2010.2:
+http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031
+Mandriva 2010.0, Mandriva 2010.1:
+http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012
+
+For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than
+what those other distros have done.  MariaDB is as much a newer version of what
+we have now as MySQL 5.5.22 is.  They are both derived from the same code base.
+Furthermore, the other distros have been able to upgrade it apparently without
+even having to rebuild anything else, so the potential for damage seems to not
+be so great after all.
+
+Finally, someone made a comment about our reputation in this thread.  If we
+just ignore this and don't issue any security updates because it's "too hard"
+or "too scary," that will hurt our reputation more than anything else.
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1