1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20mysql%20CVE%27s%20in%20mga1%20%3D%3E%20have%20it%20update%20to%20mariadb&In-Reply-To=%3Cloom.20120413T161621-537%40post.gmane.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="014233.html">
<LINK REL="Next" HREF="014243.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb</H1>
<B>David Walser</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20mysql%20CVE%27s%20in%20mga1%20%3D%3E%20have%20it%20update%20to%20mariadb&In-Reply-To=%3Cloom.20120413T161621-537%40post.gmane.org%3E"
TITLE="[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb">luigiwalser at yahoo.com
</A><BR>
<I>Fri Apr 13 16:31:24 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="014233.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI>Next message: <A HREF="014243.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14239">[ date ]</a>
<a href="thread.html#14239">[ thread ]</a>
<a href="subject.html#14239">[ subject ]</a>
<a href="author.html#14239">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>AL13N <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">alien at ...</A>> writes:
><i> 5. someone has a better idea?
</I>><i>
</I>><i> considering the response i got, now i'll default to letting someone else
</I>><i> handle it, which might mean it never gets fixed. that would also mean for
</I>><i> me that mageia1 would be a bad version to get LTS on.
</I>
The objections to this have been quite unwarranted. It sounds like some people
want to institute a new policy that MySQL security bugs won't be fixed.
Upgrading to newer versions of things isn't ideal, but sometimes it's what has
to be done, because there's no other way, and we already do it sometimes in
other cases. There's no reason this should be any more controversial.
In researching this, it appears that for the security bugs in MySQL (and there
are many, at least one of which is remotely exploitable without
authentication), only the Oracle MySQL developers really know what the
vulnerabilities are and how they were fixed, and they're not telling. The most
recent MySQL changelog that referenced security vulnerabilities had no details,
and just mentioned two bug numbers. One of those bug numbers doesn't exist.
The other is not publicly viewable.
At this point, upgrading is the only solution to these security problems, and
other distros have already realized this and updated to one of the newest
releases. Here are some examples.
RHEL6:
<A HREF="https://rhn.redhat.com/errata/RHSA-2012-0105.html">https://rhn.redhat.com/errata/RHSA-2012-0105.html</A>
<A HREF="https://rhn.redhat.com/errata/RHSA-2011-0164.html">https://rhn.redhat.com/errata/RHSA-2011-0164.html</A>
Fedora 15:
<A HREF="https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15">https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15</A>
Fedora 16:
<A HREF="https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16">https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16</A>
Mandriva Enterprise Server 5, Mandriva 2011, Mandriva 2010.2:
<A HREF="http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031">http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031</A>
Mandriva 2010.0, Mandriva 2010.1:
<A HREF="http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012">http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012</A>
For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than
what those other distros have done. MariaDB is as much a newer version of what
we have now as MySQL 5.5.22 is. They are both derived from the same code base.
Furthermore, the other distros have been able to upgrade it apparently without
even having to rebuild anything else, so the potential for damage seems to not
be so great after all.
Finally, someone made a comment about our reputation in this thread. If we
just ignore this and don't issue any security updates because it's "too hard"
or "too scary," that will hurt our reputation more than anything else.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="014233.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI>Next message: <A HREF="014243.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14239">[ date ]</a>
<a href="thread.html#14239">[ thread ]</a>
<a href="subject.html#14239">[ subject ]</a>
<a href="author.html#14239">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
