Bug 200097

Comment 1 Bernard Spil 2015-05-10 12:12:42 UTC

Created attachment 156609 [details]
Poudriere build log of databases mariadb100-server and -client

In excess of 1MB so zipped

Comment 2 Johannes Jost Meixner 2015-05-16 10:56:50 UTC

I'll take it.

Comment 3 Bernard Spil 2015-05-16 14:20:46 UTC

Created attachment 156826 [details]
svn diff for databases/mariadb100-server

Remove dev kludges from patch

Comment 4 Bernard Spil 2015-05-18 19:25:29 UTC

Created attachment 156910 [details]
svn diff for databases/mariadb100-server

Re-roll patches with make makepatch incl. extra-patch

Comment 5 Bernard Spil 2015-05-18 19:26:11 UTC

Created attachment 156911 [details]
Poudriere testport of databases/mariadb100-client

Comment 6 Bernard Spil 2015-05-18 19:27:12 UTC

Created attachment 156912 [details]
Poudriere testport of databases/mariadb100-server

ca. 2MB

Comment 7 Johannes Jost Meixner 2015-05-25 02:57:08 UTC

Submitter is committer.

Any news on this?

Comment 9 Bernard Spil 2015-06-10 18:05:34 UTC

This is now handled via https://reviews.freebsd.org/D2771
Latest patch can be obtained there

Any news / status on this ? - how can we help ? and should we look at 10.0.20 which includes the FreeBSD segmentation crash patch as well?

There are several things going on here, all with relation to CVE-2015-3152.  I will sending portmgr@ an Email about this ticket to see if some progress can be made.  And I apologise in advance for my "stern" wording below, but I write this way when presented with situations such as this.  Summarised facts with references cited:

1. The mariadb100-{client,server} ports are important.  MariaDB, like MySQL, is a commonly-used database; they are what I think most people would classify as "high-importance" ports.

2. CVE-2015-3152 was published in VuXML on July 13th 2015[1].  This affects both mariadb100-{client,server} and mysql56-{client,server} however in the case of the latter ale@ already stated clearly in mysql56-client/Makefile that he will not be updating them for the CVE[2], and there is no mysql57 (side note: I do not know why the VuXML entry hasn't been updated to include mysql56 and friends; Makefile != VuXML).  That means MariaDB is the only source of hope.

3. Details of the CVE itself and what exact MySQL/MariaDB versions are affected is better indicated elsewhere[3]; MariaDB there is listed "N/A" for a fix, however their own security page clearly states that the CVE was fixed with the release of MariaDB 10.0.20[4] which came out June 18th 2015[5].

4. mariadb100-{client,server} has been at 10.0.17 since March 5th 2015[6].  This ticket, to upgrade to 10.0.19, was filed May 10th 2015.  There has been communication and work done here (thank you everyone!), but the last activity in this ticket by the port maintainer was June 10th 2015, which was over a month ago.

5. Port maintainers have a responsibility to respond within 14 days[7] (and I say that with respect -- I was a ports committer myself and maintain 2 ports).  That said, if the maintainer does not have the time to handle this matter (which is perfectly acceptable: it's a volunteer project) then the proper thing to do is relinquish ownership and hand off to ports@ or another committer who could fill in (possibly ale@ but I am not volunteering him -- the mariadb ports have a surprisingly large number of patches in files/ that mandate review).

6. Moving to 10.0.20 would rectify the CVE, but the work done in this ticket would need to be re-evaluated for that version.  And since this is a volunteer project: if asked, I can take a stab at a patch for a 10.0.20 upgrade, but I only build/test on stable/9.

Thank you.

[1]: https://vuxml.freebsd.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html
[2]: http://svnweb.freebsd.org/ports/head/databases/mysql56-client/Makefile?revision=392456&view=markup
[3]: http://www.ocert.org/advisories/ocert-2015-003.html
[4]: https://mariadb.com/kb/en/mariadb/security/
[5]: https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
[6]: http://svnweb.freebsd.org/ports/head/databases/mariadb100-server/Makefile?revision=380551&view=markup
[7]: https://www.freebsd.org/portmgr/policies_contributors.html

Comment 12 commit-hook 2015-08-12 13:20:38 UTC

A commit references this bug:

Author: brnrd
Date: Wed Aug 12 13:19:45 UTC 2015
New revision: 394020
URL: https://svnweb.freebsd.org/changeset/ports/394020

Log:
  databases/mariadb100-server: Update to 10.0.21

    - Update to 10.0.21
    - Updates mariadb100-client as well (slave-port)
    - Silence portlint
    - Re-roll patches with makepatch

  [1]	https://mariadb.atlassian.net/browse/MDEV-7398
  [2]	https://mariadb.atlassian.net/browse/MDEV-8128

  Changes:	https://mariadb.com/kb/en/mariadb/mariadb-10021-changelog/

  Differential revision:	https://reviews.freebsd.org/D2771
  Reviewed by:	koobs (mentor), vsevolod (mentor)
  Approved by:	vsevolod (mentor)
  PR:		200097
  Security:	36bd352d-299b-11e5-86ff-14dae9d210b8
  MFH:		2015Q3

Changes:
  head/databases/mariadb100-client/files/patch-CMakeLists.txt
  head/databases/mariadb100-server/Makefile
  head/databases/mariadb100-server/distinfo
  head/databases/mariadb100-server/files/extra-patch-include_my__compare.h
  head/databases/mariadb100-server/files/extra-patch-include_my_compare.h
  head/databases/mariadb100-server/files/patch-CMakeLists.txt
  head/databases/mariadb100-server/files/patch-client_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-cmake__jemalloc.cmake
  head/databases/mariadb100-server/files/patch-cmake_jemalloc.cmake
  head/databases/mariadb100-server/files/patch-extra_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-extra_yassl_taocrypt_src_integer.cpp
  head/databases/mariadb100-server/files/patch-include_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-libmysql_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-libservices_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-man_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-mysys_my__default.c
  head/databases/mariadb100-server/files/patch-mysys_my_default.c
  head/databases/mariadb100-server/files/patch-pcre_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-scripts_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-scripts_mysql__config.sh
  head/databases/mariadb100-server/files/patch-scripts_mysql_config.sh
  head/databases/mariadb100-server/files/patch-scripts_mysqld__safe.sh
  head/databases/mariadb100-server/files/patch-scripts_mysqld_safe.sh
  head/databases/mariadb100-server/files/patch-sql_CMakeLists.txt
  head/databases/mariadb100-server/files/patch-sql_sql__trigger.cc
  head/databases/mariadb100-server/files/patch-sql_sql__view.cc
  head/databases/mariadb100-server/files/patch-sql_sql_trigger.cc
  head/databases/mariadb100-server/files/patch-sql_sql_view.cc
  head/databases/mariadb100-server/files/patch-sql_sys__vars.cc
  head/databases/mariadb100-server/files/patch-sql_sys_vars.cc
  head/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_cmake__modules_TokuFeatureDetection.cmake
  head/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_portability_memory.cc
  head/databases/mariadb100-server/files/patch-support-files_CMakeLists.txt
  head/databases/mariadb100-server/pkg-plist

(In reply to commit-hook from comment #12)
Thank you, Bernard!  I'll test this out once the pkg cluster builds the pkg and the pkg servers pick it up.

Comment 14 commit-hook 2015-08-17 09:22:33 UTC

A commit references this bug:

Author: brnrd
Date: Mon Aug 17 09:21:45 UTC 2015
New revision: 394445
URL: https://svnweb.freebsd.org/changeset/ports/394445

Log:
  MFH: r394020

  databases/mariadb100-server: Update to 10.0.21

    - Update to 10.0.21
    - Updates mariadb100-client as well (slave-port)
    - Silence portlint
    - Re-roll patches with makepatch

  [1]	https://mariadb.atlassian.net/browse/MDEV-7398
  [2]	https://mariadb.atlassian.net/browse/MDEV-8128

  Changes:	https://mariadb.com/kb/en/mariadb/mariadb-10021-changelog/

  Differential revision:	https://reviews.freebsd.org/D2771
  Reviewed by:	koobs (mentor), vsevolod (mentor)
  Approved by:	vsevolod (mentor)
  Approved by:	ports-secteam (feld)
  PR:		200097
  Security:	36bd352d-299b-11e5-86ff-14dae9d210b8

Changes:
_U  branches/2015Q3/
  branches/2015Q3/databases/mariadb100-client/files/patch-CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/Makefile
  branches/2015Q3/databases/mariadb100-server/distinfo
  branches/2015Q3/databases/mariadb100-server/files/extra-patch-include_my__compare.h
  branches/2015Q3/databases/mariadb100-server/files/extra-patch-include_my_compare.h
  branches/2015Q3/databases/mariadb100-server/files/patch-CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-client_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-cmake__jemalloc.cmake
  branches/2015Q3/databases/mariadb100-server/files/patch-cmake_jemalloc.cmake
  branches/2015Q3/databases/mariadb100-server/files/patch-extra_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-extra_yassl_taocrypt_src_integer.cpp
  branches/2015Q3/databases/mariadb100-server/files/patch-include_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-libmysql_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-libservices_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-man_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-mysys_my__default.c
  branches/2015Q3/databases/mariadb100-server/files/patch-mysys_my_default.c
  branches/2015Q3/databases/mariadb100-server/files/patch-pcre_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysql__config.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysql_config.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysqld__safe.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-scripts_mysqld_safe.sh
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql__trigger.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql__view.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql_trigger.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sql_view.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sys__vars.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-sql_sys_vars.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_cmake__modules_TokuFeatureDetection.cmake
  branches/2015Q3/databases/mariadb100-server/files/patch-storage_tokudb_ft-index_portability_memory.cc
  branches/2015Q3/databases/mariadb100-server/files/patch-support-files_CMakeLists.txt
  branches/2015Q3/databases/mariadb100-server/pkg-plist

Confirmed this looks good, at least for me -- zero issues after upgrading from package 10.0.17 to 10.0.21.  Thank you so much, Bernard!