200097 – [MAINTAINER] databases/mariadb100-server Update MariaDB to 10.0.21

Bug 200097 - [MAINTAINER] databases/mariadb100-server Update MariaDB to 10.0.21

Summary: [MAINTAINER] databases/mariadb100-server Update MariaDB to 10.0.21

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Bernard Spil

URL:	https://reviews.freebsd.org/D2771
Keywords:

Depends on:
Blocks:

Reported:	2015-05-10 12:10 UTC by Bernard Spil
Modified:	2015-11-08 12:46 UTC (History)
CC List:	5 users (show)

See Also:

Flags:	brnrd: maintainer-feedback+

Attachments
svn diff for databases/mariadb100-server (42.65 KB, patch) 2015-05-10 12:10 UTC, Bernard Spil	no flags	Details \| Diff
Poudriere build log of databases mariadb100-server and -client (90.19 KB, application/gzip) 2015-05-10 12:12 UTC, Bernard Spil	no flags	Details
svn diff for databases/mariadb100-server (17.04 KB, patch) 2015-05-16 14:20 UTC, Bernard Spil	no flags	Details \| Diff
svn diff for databases/mariadb100-server (45.68 KB, patch) 2015-05-18 19:25 UTC, Bernard Spil	no flags	Details \| Diff
Poudriere testport of databases/mariadb100-client (363.12 KB, text/plain) 2015-05-18 19:26 UTC, Bernard Spil	no flags	Details
Poudriere testport of databases/mariadb100-server (79.89 KB, application/x-gzip) 2015-05-18 19:27 UTC, Bernard Spil	no flags	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernard Spil freebsd_committer

2015-05-10 12:10:14 UTC

Created attachment 156608 [details]
svn diff for databases/mariadb100-server

The MariaDB project released 10.0.18 and 10.0.19 in short succession.
This is the update to the current 10.0.19 version
Seems that OQGraph has been broken for quite some versions now, first of all it reguires devel/judy secondly boost detection on FreeBSD is now fixed (see upstream https://mariadb.atlassian.net/browse/MDEV-8128) yet other issues when using OQGraph remain, marking OQGraph as broken for now.
All patches have been re-rolled with make make-patch

Comment 1 Bernard Spil freebsd_committer

2015-05-10 12:12:42 UTC

Created attachment 156609 [details]
Poudriere build log of databases mariadb100-server and -client

In excess of 1MB so zipped

Comment 2 Johannes Jost Meixner freebsd_committer

2015-05-16 10:56:50 UTC

I'll take it.

Comment 3 Bernard Spil freebsd_committer

2015-05-16 14:20:46 UTC

Created attachment 156826 [details]
svn diff for databases/mariadb100-server

Remove dev kludges from patch

Comment 4 Bernard Spil freebsd_committer

2015-05-18 19:25:29 UTC

Created attachment 156910 [details]
svn diff for databases/mariadb100-server

Re-roll patches with make makepatch incl. extra-patch

Comment 5 Bernard Spil freebsd_committer

2015-05-18 19:26:11 UTC

Created attachment 156911 [details]
Poudriere testport of databases/mariadb100-client

Comment 6 Bernard Spil freebsd_committer

2015-05-18 19:27:12 UTC

Created attachment 156912 [details]
Poudriere testport of databases/mariadb100-server

ca. 2MB

Comment 7 Johannes Jost Meixner freebsd_committer

2015-05-25 02:57:08 UTC

Submitter is committer.

Comment 8 Kristian K. Nielsen 2015-06-09 10:46:02 UTC

Any news on this?

Comment 9 Bernard Spil freebsd_committer

2015-06-10 18:05:34 UTC

This is now handled via https://reviews.freebsd.org/D2771
Latest patch can be obtained there

Comment 10 Kristian K. Nielsen 2015-07-07 15:39:02 UTC

Any news / status on this ? - how can we help ? and should we look at 10.0.20 which includes the FreeBSD segmentation crash patch as well?

Comment 11 Jeremy Chadwick 2015-07-30 02:16:24 UTC

There are several things going on here, all with relation to CVE-2015-3152.  I will sending portmgr@ an Email about this ticket to see if some progress can be made.  And I apologise in advance for my "stern" wording below, but I write this way when presented with situations such as this.  Summarised facts with references cited:

1. The mariadb100-{client,server} ports are important.  MariaDB, like MySQL, is a commonly-used database; they are what I think most people would classify as "high-importance" ports.

2. CVE-2015-3152 was published in VuXML on July 13th 2015[1].  This affects both mariadb100-{client,server} and mysql56-{client,server} however in the case of the latter ale@ already stated clearly in mysql56-client/Makefile that he will not be updating them for the CVE[2], and there is no mysql57 (side note: I do not know why the VuXML entry hasn't been updated to include mysql56 and friends; Makefile != VuXML).  That means MariaDB is the only source of hope.

3. Details of the CVE itself and what exact MySQL/MariaDB versions are affected is better indicated elsewhere[3]; MariaDB there is listed "N/A" for a fix, however their own security page clearly states that the CVE was fixed with the release of MariaDB 10.0.20[4] which came out June 18th 2015[5].

4. mariadb100-{client,server} has been at 10.0.17 since March 5th 2015[6].  This ticket, to upgrade to 10.0.19, was filed May 10th 2015.  There has been communication and work done here (thank you everyone!), but the last activity in this ticket by the port maintainer was June 10th 2015, which was over a month ago.

5. Port maintainers have a responsibility to respond within 14 days[7] (and I say that with respect -- I was a ports committer myself and maintain 2 ports).  That said, if the maintainer does not have the time to handle this matter (which is perfectly acceptable: it's a volunteer project) then the proper thing to do is relinquish ownership and hand off to ports@ or another committer who could fill in (possibly ale@ but I am not volunteering him -- the mariadb ports have a surprisingly large number of patches in files/ that mandate review).

6. Moving to 10.0.20 would rectify the CVE, but the work done in this ticket would need to be re-evaluated for that version.  And since this is a volunteer project: if asked, I can take a stab at a patch for a 10.0.20 upgrade, but I only build/test on stable/9.

Thank you.

[1]: https://vuxml.freebsd.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html
[2]: http://svnweb.freebsd.org/ports/head/databases/mysql56-client/Makefile?revision=392456&view=markup
[3]: http://www.ocert.org/advisories/ocert-2015-003.html
[4]: https://mariadb.com/kb/en/mariadb/security/
[5]: https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
[6]: http://svnweb.freebsd.org/ports/head/databases/mariadb100-server/Makefile?revision=380551&view=markup
[7]: https://www.freebsd.org/portmgr/policies_contributors.html

Comment 12 commit-hook freebsd_committer

2015-08-12 13:20:38 UTC

A commit references this bug:

Author: brnrd
Date: Wed Aug 12 13:19:45 UTC 2015
New revision: 394020
URL: https://svnweb.freebsd.org/changeset/ports/394020

Log:
  databases/mariadb100-server: Update to 10.0.21

    - Update to 10.0.21
    - Updates mariadb100-client as well (slave-port)
    - Silence portlint
    - Re-roll patches with makepatch

  [1]	https://mariadb.atlassian.net/browse/MDEV-7398
  [2]	https://mariadb.atlassian.net/browse/MDEV-8128

  Changes:	https://mariadb.com/kb/en/mariadb/mariadb-10021-changelog/

  Differential revision:	https://reviews.freebsd.org/D2771
  Reviewed by:	koobs (mentor), vsevolod (mentor)
  Approved by:	vsevolod (mentor)
  PR:		200097
  Security:	36bd352d-299b-11e5-86ff-14dae9d210b8
  MFH:		2015Q3

Changes:
  head/databases/mariadb100-client/files/patch-CMakeLists.txt
  head/databases/mariadb100-server/Makefile
  head/databases/mariadb100-server/distinfo
  head/databases/mariadb100-server/files/extra-patch-include_my__compare.h
  head/databases/mariadb100-server/files/extra-patch-include_my_compare.h
  head/databases/mariadb100-server/files/patch-CMakeLists.txt
  head/databases/mariadb100-server/files/patch-client_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-cmake__jemalloc.cmake
  head/databases/mariadb100-server/files/patch-cmake_jemalloc.cmake
  head/databases/mariadb100-server/files/patch-extra_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-extra_yassl_taocrypt_src_integer.cpp
  head/databases/mariadb100-server/files/patch-include_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-libmysql_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-libservices_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-man_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-mysys_my__default.c
  head/databases/mariadb100-server/files/patch-mysys_my_default.c
  head/databases/mariadb100-server/files/patch-pcre_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-scripts_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-scripts_mysql__config.sh
  head/databases/mariadb100-server/files/patch-scripts_mysql_config.sh
  head/databases/mariadb100-server/files/patch-scripts_mysqld__safe.sh
  head/databases/mariadb100-server/files/patch-scripts_mysqld_safe.sh
  head/databases/mariadb100-server/files/patch-sql_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-sql_sql__trigger.cc
  head/databases/mariadb100-server/files/patch-sql_sql__view.cc
  head/databases/mariadb100-server/files/patch-sql_sql_trigger.cc
  head/databases/mariadb100-server/files/patch-sql_sql_view.cc
  head/databases/mariadb100-server/files/patch-sql_sys__vars.cc
  head/databases/mariadb100-server/files/patch-sql_sys_vars.cc
  head/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_cmake__modules_TokuFeatureDetection.cmake
  head/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_portability_memory.cc
  head/databases/mariadb100-server/files/patch-support-files_CMakeLists.txt
  head/databases/mariadb100-server/pkg-plist

Comment 13 Jeremy Chadwick 2015-08-12 22:45:25 UTC

(In reply to commit-hook from comment #12)
Thank you, Bernard!  I'll test this out once the pkg cluster builds the pkg and the pkg servers pick it up.

Comment 14 commit-hook freebsd_committer

2015-08-17 09:22:33 UTC

A commit references this bug:

Author: brnrd
Date: Mon Aug 17 09:21:45 UTC 2015
New revision: 394445
URL: https://svnweb.freebsd.org/changeset/ports/394445

Log:
  MFH: r394020

  databases/mariadb100-server: Update to 10.0.21

    - Update to 10.0.21
    - Updates mariadb100-client as well (slave-port)
    - Silence portlint
    - Re-roll patches with makepatch

  [1]	https://mariadb.atlassian.net/browse/MDEV-7398
  [2]	https://mariadb.atlassian.net/browse/MDEV-8128

  Changes:	https://mariadb.com/kb/en/mariadb/mariadb-10021-changelog/

  Differential revision:	https://reviews.freebsd.org/D2771
  Reviewed by:	koobs (mentor), vsevolod (mentor)
  Approved by:	vsevolod (mentor)
  Approved by:	ports-secteam (feld)
  PR:		200097
  Security:	36bd352d-299b-11e5-86ff-14dae9d210b8

Changes:
_U  branches/2015Q3/
  branches/2015Q3/databases/mariadb100-client/files/patch-CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/Makefile
  branches/2015Q3/databases/mariadb100-server/distinfo
  branches/2015Q3/databases/mariadb100-server/files/extra-patch-include_my__compare.h
  branches/2015Q3/databases/mariadb100-server/files/extra-patch-include_my_compare.h
  branches/2015Q3/databases/mariadb100-server/files/patch-CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-client_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-cmake__jemalloc.cmake
  branches/2015Q3/databases/mariadb100-server/files/patch-cmake_jemalloc.cmake
  branches/2015Q3/databases/mariadb100-server/files/patch-extra_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-extra_yassl_taocrypt_src_integer.cpp
  branches/2015Q3/databases/mariadb100-server/files/patch-include_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-libmysql_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-libservices_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-man_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-mysys_my__default.c
  branches/2015Q3/databases/mariadb100-server/files/patch-mysys_my_default.c
  branches/2015Q3/databases/mariadb100-server/files/patch-pcre_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysql__config.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysql_config.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysqld__safe.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysqld_safe.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql__trigger.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql__view.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql_trigger.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql_view.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sys__vars.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sys_vars.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_cmake__modules_TokuFeatureDetection.cmake
  branches/2015Q3/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_portability_memory.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-support-files_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/pkg-plist

Comment 15 Jeremy Chadwick 2015-08-19 03:31:36 UTC

Confirmed this looks good, at least for me -- zero issues after upgrading from package 10.0.17 to 10.0.21.  Thank you so much, Bernard!