Bug 220849 - databases/mysql55-server databases/mysql56-server databases/mysql57-server security/vuxml: Update to latest (Fixes security vulnerabilities)
Summary: databases/mysql55-server databases/mysql56-server databases/mysql57-server se...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Ports Security Team
URL: http://www.oracle.com/technetwork/sec...
Keywords: needs-patch, security
Depends on:
Blocks: 221128
  Show dependency treegraph
 
Reported: 2017-07-19 10:20 UTC by Dani
Modified: 2017-08-07 12:02 UTC (History)
4 users (show)

See Also:
i.dani: maintainer-feedback? (ports-secteam)
i.dani: maintainer-feedback? (ale)
mmokhi: maintainer-feedback+
i.dani: merge-quarterly?


Attachments
Update to MySQL 5.5.57 (656 bytes, patch)
2017-08-03 07:55 UTC, Dani
koobs: maintainer-approval+
i.dani: maintainer-approval? (ports-secteam)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dani 2017-07-19 10:20:57 UTC
The current versions avilable for FreeBSD are vulnerable since 17.07.2017 and have already been patched upstream. There are multiple vulnerabilities for each version.

Changelogs:
mysql55-server(Old vers.: 5.5.56): https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
mysql56-server(Old vers.: 5.6.36): https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-37.html
mysql57-server(Old vers.: 5.7.18): https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html

Vulnerabilities can be found here:
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html?elq_mid=82786&sh=1426130622150824190926132209290730261531&cmid=SPPT160711P00036C0001#AppendixMSQL
Comment 1 Mahdi Mokhtari freebsd_committer freebsd_triage 2017-07-19 11:10:15 UTC
(In reply to Dani from comment #0)
Thanks for reporting :-]
The mysql56 is already updated (yesterday) and 57 is hopefully being committed today or tonight.
But I'd like to add a point that there are no security fixes in these updates according to release-notes.
Therefore, it won't need vuxml.
Comment 2 Mahdi Mokhtari freebsd_committer freebsd_triage 2017-07-19 11:37:26 UTC
(In reply to Dani from comment #0)
@Dani,
Oops sorry I didn't see the oracle.com link you've posted :)))
yeah, it introduces vulns ``:)
Comment 3 commit-hook freebsd_committer 2017-07-19 15:15:59 UTC
A commit references this bug:

Author: mmokhi
Date: Wed Jul 19 15:15:43 UTC 2017
New revision: 446203
URL: https://svnweb.freebsd.org/changeset/ports/446203

Log:
  databases/mysql57-{client/server}: Update to 5.7.19
  ChangeLog for this update: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html

  PR:		220849
  Reviewed by:	mat (mentor)
  Approved by:	mat (mentor)
  Sponsored by:	Netzkommune GmbH
  Differential Revision:	https://reviews.freebsd.org/D11656

Changes:
  head/databases/mysql57-client/Makefile
  head/databases/mysql57-client/files/patch-CMakeLists.txt
  head/databases/mysql57-client/files/patch-mysys_my__symlink.c
  head/databases/mysql57-server/Makefile
  head/databases/mysql57-server/distinfo
Comment 4 Mahdi Mokhtari freebsd_committer freebsd_triage 2017-07-19 15:21:12 UTC
(In reply to commit-hook from comment #3)
The update for mysql56 was done yesterday on r446148
Comment 5 commit-hook freebsd_committer 2017-07-25 15:04:30 UTC
A commit references this bug:

Author: mmokhi
Date: Tue Jul 25 15:04:24 UTC 2017
New revision: 446589
URL: https://svnweb.freebsd.org/changeset/ports/446589

Log:
  MFH: r446203

  databases/mysql57-{client/server}: Update to 5.7.19
  ChangeLog for this update: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html

  PR:		220849
  Reviewed by:	mat (mentor)
  Approved by:	mat (mentor)
  Sponsored by:	Netzkommune GmbH
  Differential Revision:	https://reviews.freebsd.org/D11656

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/databases/mysql57-client/Makefile
  branches/2017Q3/databases/mysql57-client/files/patch-CMakeLists.txt
  branches/2017Q3/databases/mysql57-client/files/patch-mysys_my__symlink.c
  branches/2017Q3/databases/mysql57-server/Makefile
  branches/2017Q3/databases/mysql57-server/distinfo
Comment 6 mayhem30 2017-08-01 19:02:00 UTC
MySQL 5.5 has not been updated yet and is still vulnerable.
Comment 7 Dani 2017-08-03 07:55:23 UTC
Created attachment 184982 [details]
Update to MySQL 5.5.57

databases/mysql55-{server client}: Update to latest 5.5.57
Comment 8 Dani 2017-08-03 07:58:15 UTC
(In reply to Dani from comment #7)
Successfully built, installed and tested on FreeBSD 10.3.

Looks like ale isn't currently avi (no response in multiple PR's), so it would be nice if this could be looked at by the sec-team, since it's security related.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2017-08-06 04:11:50 UTC
Comment on attachment 184982 [details]
Update to MySQL 5.5.57

Approved by: portmgr (maintainer timeout, 2 weeks)