Bug 211248 - databases/mysql55-server, databases/mysql56-server, databases/mysql57-server: Multiple CVE
Summary: databases/mysql55-server, databases/mysql56-server, databases/mysql57-server:...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Ports Security Team
URL: http://www.oracle.com/technetwork/sec...
Keywords: security
Depends on: 211273 211274 216244
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-20 16:21 UTC by Markus Kohlmeyer
Modified: 2017-04-25 17:59 UTC (History)
6 users (show)

See Also:
mmokhi: maintainer-feedback+
koobs: maintainer-feedback? (ale)
koobs: exp-run?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Kohlmeyer 2016-07-20 16:21:32 UTC
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL

Affected Ports:
databases/mysql55-client, databases/mysql55-server: <= 5.5.49
databases/mysql56-client, databases/mysql56-server: <= 5.6.30
databases/mysql57-client, databases/mysql57-server: <= 5.7.12

Possibly affected Ports:
databases/mariadb*
databases/percona*
Comment 1 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-07-20 16:38:24 UTC
Hi.
Thanks for informing about it.

I'm not maintainer of mysql55 and mysql56.
So *probably* you should 'maintainer-feedback?' them too, or file multiple issues *next time* :D.
BTW :)
mysql57 is on 5.7.13 so not affected as you pointed '<= 5.7.12'.
I'll patch an update on vuxml about it.
Comment 2 Markus Kohlmeyer 2016-07-20 16:54:31 UTC
(In reply to Mahdi Mokhtari from comment #1)
You where auto-assigned by Bugzilla, not me ;)

I added MySQL 5.7 so that vuxml will get the needed entries and that users of MySQL <=5.7.12 get informed of their insecure installs and urged to upgrade to current 5.7.13.


And yes, next time i'll file multiple Bugs for different versions/ports.
Comment 3 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-07-20 17:34:40 UTC
(In reply to Markus Kohlmeyer from comment #2)
> I added MySQL 5.7 so that vuxml will get the needed entries and that users of MySQL <=5.7.12 get informed of their insecure installs and urged to upgrade to current 5.7.13.
Sure you're right :)
That's why i told I'll patch on vuxml ;)

Thanks for your infos, again.
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-21 00:50:16 UTC
@Mohki, @Alex, @Bernard Can you create sub-issues blocking this one for your respective ports please, I'll assign this one as the parent 'tracking' issue to ports-secteam so they can coordinate
Comment 5 Bernard Spil freebsd_committer 2016-07-21 14:45:33 UTC
Creating a vuxml entry for this
Comment 6 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-07-21 14:56:09 UTC
(In reply to Bernard Spil from comment #5)
Will create entry for MariaDB only ? or you'll do it for all?
Comment 7 commit-hook freebsd_committer 2016-07-21 14:59:01 UTC
A commit references this bug:

Author: brnrd
Date: Thu Jul 21 14:58:08 UTC 2016
New revision: 418877
URL: https://svnweb.freebsd.org/changeset/ports/418877

Log:
  security/vuxml: Add MySQL vulnerabilities from quarterly update

    - Add MariaDB ports
    - Add Percona ports

  PR:		211248

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Bernard Spil freebsd_committer 2016-07-21 15:01:53 UTC
(In reply to Mahdi Mokhtari from comment #6)
All of them
Comment 9 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-07-21 15:09:04 UTC
(In reply to Bernard Spil from comment #8)
Okay, Thanks :)
I checked your commit diff.
I guess you did a small typo :D
I think you should change mysql 5.7.13 to 5.7.12
Comment 10 commit-hook freebsd_committer 2016-07-21 18:26:16 UTC
A commit references this bug:

Author: brnrd
Date: Thu Jul 21 18:25:23 UTC 2016
New revision: 418887
URL: https://svnweb.freebsd.org/changeset/ports/418887

Log:
  security/vuxml: Current mysql57 is NOT vulnerable

  PR:		211248

Changes:
  head/security/vuxml/vuln.xml
Comment 11 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-07-21 18:29:01 UTC
(In reply to commit-hook from comment #10)
Thanks
Comment 12 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-07-21 19:51:58 UTC
Then should we now close issues it depends on?
Such as issue#211273
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-06 12:42:53 UTC
(In reply to Mahdi Mokhtari from comment #12)

Bug 211273 can/should only be closed when all of the things that need to be done for it are done (whatever those things are).

The commits and comments for mysql57 should have occured on bug 211273 (which is still in the new state with no history) not on this bug.

Also, we have no response yet from ale@ on mysql56

@ports-secteam, can you coordinate the version update and merge of mysql56-server and its vuxml entry in a separate (blocking) issue please
Comment 14 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-08-06 13:51:46 UTC
(In reply to Kubilay Kocak from comment #13)
Okay, Thanks :)
So, I guess it can be closed :) cause the only thing was needed for it IMO was the vuxml entry to be updated.
Comment 15 Markus Kohlmeyer 2016-11-23 17:55:29 UTC
ping
Comment 16 Mark Felder freebsd_committer 2016-11-29 15:05:11 UTC
Is there any action left for this ticket?
Comment 17 Mahdi Mokhtari freebsd_committer freebsd_triage 2016-11-29 15:21:59 UTC
(In reply to Mark Felder from comment #16)
for mysql57 and mariadb* i guess no action left.
I afraid mysql55 and 56 still have actions let (cause ale@'s flag is still '?'), but maybe things on these two can be considered as overcome by time.
I also am not sure about what is exp-run flag here? (and how we[=maintainers] should do with it)

Regards.
Comment 18 commit-hook freebsd_committer 2017-01-19 22:30:07 UTC
A commit references this bug:

Author: feld
Date: Thu Jan 19 22:29:06 UTC 2017
New revision: 431919
URL: https://svnweb.freebsd.org/changeset/ports/431919

Log:
  databases/mysql56: Update to 5.6.35

  - Port improvements from MySQL 5.7 port
  - Use system libs instead of bundled
  - Fix many open PRs
  - Change MAINTAINER

  PR:		216244 192657 198812 199751 205093
  PR:		209618 211248 205983 209338

Changes:
  head/databases/mysql56-client/Makefile
  head/databases/mysql56-client/files/patch-CMakeLists.txt
  head/databases/mysql56-client/files/patch-extra_CMakeLists.txt
  head/databases/mysql56-client/files/patch-man_CMakeLists.txt
  head/databases/mysql56-client/files/patch-mysys_ssl_my_default.cc
  head/databases/mysql56-client/files/patch-scripts_CMakeLists.txt
  head/databases/mysql56-client/files/patch-support-files_CMakeLists.txt
  head/databases/mysql56-client/pkg-message
  head/databases/mysql56-server/Makefile
  head/databases/mysql56-server/distinfo
  head/databases/mysql56-server/files/my.cnf.sample.in
  head/databases/mysql56-server/files/mysql-server.in
  head/databases/mysql56-server/files/patch-mysys_ssl_my_default.cc
  head/databases/mysql56-server/pkg-message
  head/databases/mysql56-server/pkg-plist
Comment 19 commit-hook freebsd_committer 2017-01-26 19:59:35 UTC
A commit references this bug:

Author: brnrd
Date: Thu Jan 26 19:58:07 UTC 2017
New revision: 432535
URL: https://svnweb.freebsd.org/changeset/ports/432535

Log:
  MFH: r431919 r431968 r431975 r432035 r432066 r432458

  databases/mysql56: Update to 5.6.35

  - Port improvements from MySQL 5.7 port
  - Use system libs instead of bundled
  - Fix many open PRs
  - Change MAINTAINER

  PR:		216244 192657 198812 199751 205093
  PR:		209618 211248 205983 209338

  databases/mysql56-server: Rollback rc script changes

  databases/mysql56-server: Do not install my.cnf sample

  An issue was discovered where users of mysql did not have a my.cnf and
  the recent update was causing mysqld to find a sample my.cnf and load
  its parameters. This was causing errors on startup for users of innodb
  as the parameters used to init the database did not match the ones in
  the sample config file it was now reading.

  databases/mysql56-server: Fix build with LibreSSL

    - Fix CMake SSL detection
    - Always set WITH_SSL=${OPENSSLBASE}

  PR:		216311
  Approved by:	Mahdi Moktari <mokhi64@gmail.com> (maintainer)
  Differential Revision:	D9272

  Revert r432035 part 2, it breaks build with openssl from base

  With hat:	portmgr

  databases/mysql56-server: Fix OpenSSL linking

    - Force dynamic linking with OpenSSL

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/databases/mysql56-client/Makefile
  branches/2017Q1/databases/mysql56-client/files/patch-CMakeLists.txt
  branches/2017Q1/databases/mysql56-client/files/patch-cmake_ssl.cmake
  branches/2017Q1/databases/mysql56-client/files/patch-extra_CMakeLists.txt
  branches/2017Q1/databases/mysql56-client/files/patch-man_CMakeLists.txt
  branches/2017Q1/databases/mysql56-client/files/patch-mysys_ssl_my_default.cc
  branches/2017Q1/databases/mysql56-client/files/patch-scripts_CMakeLists.txt
  branches/2017Q1/databases/mysql56-client/files/patch-support-files_CMakeLists.txt
  branches/2017Q1/databases/mysql56-client/pkg-message
  branches/2017Q1/databases/mysql56-server/Makefile
  branches/2017Q1/databases/mysql56-server/distinfo
  branches/2017Q1/databases/mysql56-server/files/my.cnf.sample.in
  branches/2017Q1/databases/mysql56-server/files/patch-cmake_ssl.cmake
  branches/2017Q1/databases/mysql56-server/files/patch-mysys_ssl_my_default.cc
  branches/2017Q1/databases/mysql56-server/pkg-message
  branches/2017Q1/databases/mysql56-server/pkg-plist
Comment 20 Markus Kohlmeyer 2017-04-25 15:44:24 UTC
ping
Comment 21 Mark Felder freebsd_committer 2017-04-25 15:49:58 UTC
(In reply to Markus Kohlmeyer from comment #20)

Is there an outstanding issue here, Markus? This was not clear previously.
Comment 22 Markus Kohlmeyer 2017-04-25 16:20:56 UTC
I don't see an outstanding issue here, so this pr can be closed.
Thanks Mark.