The current versions avilable for FreeBSD are vulnerable since 17.07.2017 and have already been patched upstream. There are multiple vulnerabilities for each version. Changelogs: mysql55-server(Old vers.: 5.5.56): https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html mysql56-server(Old vers.: 5.6.36): https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-37.html mysql57-server(Old vers.: 5.7.18): https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html Vulnerabilities can be found here: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html?elq_mid=82786&sh=1426130622150824190926132209290730261531&cmid=SPPT160711P00036C0001#AppendixMSQL
(In reply to Dani from comment #0) Thanks for reporting :-] The mysql56 is already updated (yesterday) and 57 is hopefully being committed today or tonight. But I'd like to add a point that there are no security fixes in these updates according to release-notes. Therefore, it won't need vuxml.
(In reply to Dani from comment #0) @Dani, Oops sorry I didn't see the oracle.com link you've posted :))) yeah, it introduces vulns ``:)
A commit references this bug: Author: mmokhi Date: Wed Jul 19 15:15:43 UTC 2017 New revision: 446203 URL: https://svnweb.freebsd.org/changeset/ports/446203 Log: databases/mysql57-{client/server}: Update to 5.7.19 ChangeLog for this update: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html PR: 220849 Reviewed by: mat (mentor) Approved by: mat (mentor) Sponsored by: Netzkommune GmbH Differential Revision: https://reviews.freebsd.org/D11656 Changes: head/databases/mysql57-client/Makefile head/databases/mysql57-client/files/patch-CMakeLists.txt head/databases/mysql57-client/files/patch-mysys_my__symlink.c head/databases/mysql57-server/Makefile head/databases/mysql57-server/distinfo
(In reply to commit-hook from comment #3) The update for mysql56 was done yesterday on r446148
A commit references this bug: Author: mmokhi Date: Tue Jul 25 15:04:24 UTC 2017 New revision: 446589 URL: https://svnweb.freebsd.org/changeset/ports/446589 Log: MFH: r446203 databases/mysql57-{client/server}: Update to 5.7.19 ChangeLog for this update: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html PR: 220849 Reviewed by: mat (mentor) Approved by: mat (mentor) Sponsored by: Netzkommune GmbH Differential Revision: https://reviews.freebsd.org/D11656 Approved by: ports-secteam (feld) Changes: _U branches/2017Q3/ branches/2017Q3/databases/mysql57-client/Makefile branches/2017Q3/databases/mysql57-client/files/patch-CMakeLists.txt branches/2017Q3/databases/mysql57-client/files/patch-mysys_my__symlink.c branches/2017Q3/databases/mysql57-server/Makefile branches/2017Q3/databases/mysql57-server/distinfo
MySQL 5.5 has not been updated yet and is still vulnerable.
Created attachment 184982 [details] Update to MySQL 5.5.57 databases/mysql55-{server client}: Update to latest 5.5.57
(In reply to Dani from comment #7) Successfully built, installed and tested on FreeBSD 10.3. Looks like ale isn't currently avi (no response in multiple PR's), so it would be nice if this could be looked at by the sec-team, since it's security related.
Comment on attachment 184982 [details] Update to MySQL 5.5.57 Approved by: portmgr (maintainer timeout, 2 weeks)