Oracle released 5.7.26, closes multiple vulnerabilities including four which are remotely exploitable without a valid login. See: https://vuxml.freebsd.org/freebsd/4e1997e8-5de0-11e9-b95c-b499baebfeaf.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL
This version is still pending release from Oracle.
Latest version is now available: https://dev.mysql.com/downloads/mysql/5.7.html#downloads
Thanks for heads-up about it.
A commit references this bug: Author: mmokhi Date: Sun Apr 28 21:24:36 UTC 2019 New revision: 500372 URL: https://svnweb.freebsd.org/changeset/ports/500372 Log: databases/mysql56-{client, server}: Update to latest release 5.6.44 This update includes Bugfix: - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES was not updated when adding an index - MySQL 5.6 did not build with maintainer mode enabled with GCC 7 - A damaged mysql.user table could cause a server exit - mysqladmin shutdown did not wait for mysqld to shut down More info: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-44.html Security Fix: CVE-2019-1559, CVE-2018-3123 and other fixes. More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL<Paste> PR: 237399 Reported by: Brent Busby <brent@jfi.uchicago.edu> Sponsored by: The FreeBSD Foundation Changes: head/databases/mysql56-server/Makefile head/databases/mysql56-server/distinfo head/databases/mysql56-server/files/patch-cmake_plugin.cmake head/databases/mysql56-server/pkg-plist
A commit references this bug: Author: mmokhi Date: Sun Apr 28 21:34:15 UTC 2019 New revision: 500373 URL: https://svnweb.freebsd.org/changeset/ports/500373 Log: databases/mysql57-{client, server}: Update to latest release 5.7.26 This update includes: Bugfix: - InnoDB: Optimized internal temporary tables did not support in-place UPDATE operations - InnoDB: A function called by a CREATE TABLE thread attempted access after free() - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES was not updated when adding an index - The authentication_ldap_simple plugin could enforce authentication incorrectly More info: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html Security Fix: CVE-2019-2632, CVE-2019-1559, CVE-2018-3123, and other fixes. More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL PR: 237399 Reported by: Brent Busby <brent@jfi.uchicago.edu> Sponsored by: The FreeBSD Foundation Changes: head/databases/mysql57-client/files/patch-cmake_plugin.cmake head/databases/mysql57-server/Makefile head/databases/mysql57-server/distinfo head/databases/mysql57-server/files/patch-cmake_plugin.cmake head/databases/mysql57-server/files/patch-rapid_plugin_x_CMakeLists.txt head/databases/mysql57-server/pkg-plist
A commit references this bug: Author: mmokhi Date: Sat May 11 14:15:47 UTC 2019 New revision: 501261 URL: https://svnweb.freebsd.org/changeset/ports/501261 Log: databases/mysql80-{client, server}: Update to latest release 8.0.16 This update includes: Bugfixes: - InnoDB: Undo tablespaces remained unencrypted after enabling undo tablespace encryption at startup. (Bug #29477795) - InnoDB: Problematic macros introduced with undo tablespace DDL support (Bug #29324132, Bug #94243). - InnoDB: Static thread local variables defined at the wrong scope were not released at thread exit. (Bug #29305186) - Memory leaks discovered in the innochecksum (Bug #28917614, Bug #93164). New features: - MySQL C API now supports asynchronous functions for nonblocking communication with the MySQL server. - MySQL now supports a new Chinese collation, utf8mb4_zh_0900_as_cs - CMake now causes the build process to link with the llvm lld linker for Clang if it is available. Security Fix: CVE-2019-2632, CVE-2019-2693, CVE-2019-2694, CVE-2019-2695 and other fixes. More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL PR: 237399 Reported by: Brent Busby <brent@jfi.uchicago.edu> Sponsored by: The FreeBSD Foundation Changes: head/databases/mysql80-client/files/patch-client_CMakeLists.txt head/databases/mysql80-client/files/patch-include_CMakeLists.txt head/databases/mysql80-client/files/patch-scripts_CMakeLists.txt head/databases/mysql80-client/files/patch-sql_mysqld.cc head/databases/mysql80-client/files/patch-support-files_CMakeLists.txt head/databases/mysql80-client/pkg-plist head/databases/mysql80-server/Makefile head/databases/mysql80-server/distinfo head/databases/mysql80-server/files/patch-client_CMakeLists.txt head/databases/mysql80-server/files/patch-plugin_x_CMakeLists.txt head/databases/mysql80-server/files/patch-router_src_harness_CMakeLists.txt head/databases/mysql80-server/files/patch-sql_mysqld.cc head/databases/mysql80-server/pkg-plist
When can we expect these patches in the quarterly-branch?
A commit references this bug: Author: mmokhi Date: Mon May 13 19:27:32 UTC 2019 New revision: 501588 URL: https://svnweb.freebsd.org/changeset/ports/501588 Log: MFH: r500372 databases/mysql56-{client, server}: Update to latest release 5.6.44 This update includes Bugfix: - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES was not updated when adding an index - MySQL 5.6 did not build with maintainer mode enabled with GCC 7 - A damaged mysql.user table could cause a server exit - mysqladmin shutdown did not wait for mysqld to shut down More info: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-44.html Security Fix: CVE-2019-1559, CVE-2018-3123 and other fixes. More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL<Paste> PR: 237399 Reported by: Brent Busby <brent@jfi.uchicago.edu> Sponsored by: The FreeBSD Foundation Approved by: ports-secteam (feld, CVE-patch blanket) Changes: _U branches/2019Q2/ branches/2019Q2/databases/mysql56-server/Makefile branches/2019Q2/databases/mysql56-server/distinfo branches/2019Q2/databases/mysql56-server/files/patch-cmake_plugin.cmake branches/2019Q2/databases/mysql56-server/pkg-plist
A commit references this bug: Author: mmokhi Date: Mon May 13 19:30:24 UTC 2019 New revision: 501589 URL: https://svnweb.freebsd.org/changeset/ports/501589 Log: MFH: r500373 databases/mysql57-{client, server}: Update to latest release 5.7.26 This update includes: Bugfix: - InnoDB: Optimized internal temporary tables did not support in-place UPDATE operations - InnoDB: A function called by a CREATE TABLE thread attempted access after free() - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES was not updated when adding an index - The authentication_ldap_simple plugin could enforce authentication incorrectly More info: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html Security Fix: CVE-2019-2632, CVE-2019-1559, CVE-2018-3123, and other fixes. More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL PR: 237399 Reported by: Brent Busby <brent@jfi.uchicago.edu> Sponsored by: The FreeBSD Foundation Approved by: ports-secteam (feld, CVE-patch blanket) Changes: _U branches/2019Q2/ branches/2019Q2/databases/mysql57-client/files/patch-cmake_plugin.cmake branches/2019Q2/databases/mysql57-server/Makefile branches/2019Q2/databases/mysql57-server/distinfo branches/2019Q2/databases/mysql57-server/files/patch-cmake_plugin.cmake branches/2019Q2/databases/mysql57-server/files/patch-rapid_plugin_x_CMakeLists.txt branches/2019Q2/databases/mysql57-server/pkg-plist
A commit references this bug: Author: mmokhi Date: Mon May 13 19:33:32 UTC 2019 New revision: 501591 URL: https://svnweb.freebsd.org/changeset/ports/501591 Log: MFH: r501261 databases/mysql80-{client, server}: Update to latest release 8.0.16 This update includes: Bugfixes: - InnoDB: Undo tablespaces remained unencrypted after enabling undo tablespace encryption at startup. (Bug #29477795) - InnoDB: Problematic macros introduced with undo tablespace DDL support (Bug #29324132, Bug #94243). - InnoDB: Static thread local variables defined at the wrong scope were not released at thread exit. (Bug #29305186) - Memory leaks discovered in the innochecksum (Bug #28917614, Bug #93164). New features: - MySQL C API now supports asynchronous functions for nonblocking communication with the MySQL server. - MySQL now supports a new Chinese collation, utf8mb4_zh_0900_as_cs - CMake now causes the build process to link with the llvm lld linker for Clang if it is available. Security Fix: CVE-2019-2632, CVE-2019-2693, CVE-2019-2694, CVE-2019-2695 and other fixes. More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL PR: 237399 Reported by: Brent Busby <brent@jfi.uchicago.edu> Sponsored by: The FreeBSD Foundation Approved by: ports-secteam (feld, CVE-patch blanket) Changes: _U branches/2019Q2/ branches/2019Q2/databases/mysql80-client/files/patch-client_CMakeLists.txt branches/2019Q2/databases/mysql80-client/files/patch-include_CMakeLists.txt branches/2019Q2/databases/mysql80-client/files/patch-scripts_CMakeLists.txt branches/2019Q2/databases/mysql80-client/files/patch-sql_mysqld.cc branches/2019Q2/databases/mysql80-client/files/patch-support-files_CMakeLists.txt branches/2019Q2/databases/mysql80-client/pkg-plist branches/2019Q2/databases/mysql80-server/Makefile branches/2019Q2/databases/mysql80-server/distinfo branches/2019Q2/databases/mysql80-server/files/patch-client_CMakeLists.txt branches/2019Q2/databases/mysql80-server/files/patch-plugin_x_CMakeLists.txt branches/2019Q2/databases/mysql80-server/files/patch-router_src_harness_CMakeLists.txt branches/2019Q2/databases/mysql80-server/files/patch-sql_mysqld.cc branches/2019Q2/databases/mysql80-server/pkg-plist
(In reply to linus.sundqvist from comment #7) Thanks for the reminder dear linus, MFH'd as well :)