[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
David Walser
luigiwalser at yahoo.com
Fri Apr 13 16:31:24 CEST 2012
AL13N <alien at ...> writes:
> 5. someone has a better idea?
>
> considering the response i got, now i'll default to letting someone else
> handle it, which might mean it never gets fixed. that would also mean for
> me that mageia1 would be a bad version to get LTS on.
The objections to this have been quite unwarranted. It sounds like some people
want to institute a new policy that MySQL security bugs won't be fixed.
Upgrading to newer versions of things isn't ideal, but sometimes it's what has
to be done, because there's no other way, and we already do it sometimes in
other cases. There's no reason this should be any more controversial.
In researching this, it appears that for the security bugs in MySQL (and there
are many, at least one of which is remotely exploitable without
authentication), only the Oracle MySQL developers really know what the
vulnerabilities are and how they were fixed, and they're not telling. The most
recent MySQL changelog that referenced security vulnerabilities had no details,
and just mentioned two bug numbers. One of those bug numbers doesn't exist.
The other is not publicly viewable.
At this point, upgrading is the only solution to these security problems, and
other distros have already realized this and updated to one of the newest
releases. Here are some examples.
RHEL6:
https://rhn.redhat.com/errata/RHSA-2012-0105.html
https://rhn.redhat.com/errata/RHSA-2011-0164.html
Fedora 15:
https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15
Fedora 16:
https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16
Mandriva Enterprise Server 5, Mandriva 2011, Mandriva 2010.2:
http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031
Mandriva 2010.0, Mandriva 2010.1:
http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012
For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than
what those other distros have done. MariaDB is as much a newer version of what
we have now as MySQL 5.5.22 is. They are both derived from the same code base.
Furthermore, the other distros have been able to upgrade it apparently without
even having to rebuild anything else, so the potential for damage seems to not
be so great after all.
Finally, someone made a comment about our reputation in this thread. If we
just ignore this and don't issue any security updates because it's "too hard"
or "too scary," that will hurt our reputation more than anything else.
More information about the Mageia-dev
mailing list