Bug 237399 - databases/mysql57-server: Update to 5.7.26 (Fixes multiple CVE)
Summary: databases/mysql57-server: Update to 5.7.26 (Fixes multiple CVE)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Mahdi Mokhtari
URL: https://www.oracle.com/technetwork/se...
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2019-04-19 23:22 UTC by Brent Busby
Modified: 2019-05-13 19:34 UTC (History)
4 users (show)

See Also:
mmokhi: maintainer-feedback+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Busby 2019-04-19 23:22:43 UTC
Oracle released 5.7.26, closes multiple vulnerabilities including four which are remotely exploitable without a valid login.

See:
https://vuxml.freebsd.org/freebsd/4e1997e8-5de0-11e9-b95c-b499baebfeaf.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL
Comment 1 Brent Busby 2019-04-19 23:32:25 UTC
This version is still pending release from Oracle.
Comment 2 Dani 2019-04-26 12:07:20 UTC
Latest version is now available: https://dev.mysql.com/downloads/mysql/5.7.html#downloads
Comment 3 Mahdi Mokhtari freebsd_committer freebsd_triage 2019-04-26 19:08:58 UTC
Thanks for heads-up about it.
Comment 4 commit-hook freebsd_committer 2019-04-28 21:25:02 UTC
A commit references this bug:

Author: mmokhi
Date: Sun Apr 28 21:24:36 UTC 2019
New revision: 500372
URL: https://svnweb.freebsd.org/changeset/ports/500372

Log:
  databases/mysql56-{client, server}: Update to latest release 5.6.44
  This update includes
  Bugfix:
  - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES
      was not updated when adding an index
  - MySQL 5.6 did not build with maintainer mode enabled with GCC 7
  - A damaged mysql.user table could cause a server exit
  - mysqladmin shutdown did not wait for mysqld to shut down
  More info: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-44.html

  Security Fix:
  CVE-2019-1559, CVE-2018-3123 and other fixes.
  More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL<Paste>

  PR:		237399
  Reported by:	Brent Busby <brent@jfi.uchicago.edu>
  Sponsored by:	The FreeBSD Foundation

Changes:
  head/databases/mysql56-server/Makefile
  head/databases/mysql56-server/distinfo
  head/databases/mysql56-server/files/patch-cmake_plugin.cmake
  head/databases/mysql56-server/pkg-plist
Comment 5 commit-hook freebsd_committer 2019-04-28 21:35:12 UTC
A commit references this bug:

Author: mmokhi
Date: Sun Apr 28 21:34:15 UTC 2019
New revision: 500373
URL: https://svnweb.freebsd.org/changeset/ports/500373

Log:
  databases/mysql57-{client, server}: Update to latest release 5.7.26
  This update includes:
  Bugfix:
  - InnoDB: Optimized internal temporary tables did not support
      in-place UPDATE operations
  - InnoDB: A function called by a CREATE TABLE thread attempted access after free()
  - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES
      was not updated when adding an index
  - The authentication_ldap_simple plugin could enforce authentication incorrectly
  More info: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html

  Security Fix:
  CVE-2019-2632, CVE-2019-1559, CVE-2018-3123, and other fixes.
  More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL

  PR:		237399
  Reported by:	Brent Busby <brent@jfi.uchicago.edu>
  Sponsored by:	The FreeBSD Foundation

Changes:
  head/databases/mysql57-client/files/patch-cmake_plugin.cmake
  head/databases/mysql57-server/Makefile
  head/databases/mysql57-server/distinfo
  head/databases/mysql57-server/files/patch-cmake_plugin.cmake
  head/databases/mysql57-server/files/patch-rapid_plugin_x_CMakeLists.txt
  head/databases/mysql57-server/pkg-plist
Comment 6 commit-hook freebsd_committer 2019-05-11 14:15:58 UTC
A commit references this bug:

Author: mmokhi
Date: Sat May 11 14:15:47 UTC 2019
New revision: 501261
URL: https://svnweb.freebsd.org/changeset/ports/501261

Log:
  databases/mysql80-{client, server}: Update to latest release 8.0.16

  This update includes:
  Bugfixes:
  - InnoDB: Undo tablespaces remained unencrypted after enabling
      undo tablespace encryption at startup. (Bug #29477795)
  - InnoDB: Problematic macros introduced with undo tablespace DDL support
      (Bug #29324132, Bug #94243).
  - InnoDB: Static thread local variables defined at the wrong scope
      were not released at thread exit. (Bug #29305186)
  -  Memory leaks discovered in the innochecksum  (Bug #28917614, Bug #93164).

  New features:
  - MySQL C API now supports asynchronous functions for
      nonblocking communication with the MySQL server.
  - MySQL now supports a new Chinese collation, utf8mb4_zh_0900_as_cs
  - CMake now causes the build process to link with the llvm lld linker
      for Clang if it is available.

  Security Fix:
  CVE-2019-2632, CVE-2019-2693, CVE-2019-2694, CVE-2019-2695 and other fixes.
  More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL

  PR:		237399
  Reported by:	Brent Busby <brent@jfi.uchicago.edu>
  Sponsored by:	The FreeBSD Foundation

Changes:
  head/databases/mysql80-client/files/patch-client_CMakeLists.txt
  head/databases/mysql80-client/files/patch-include_CMakeLists.txt
  head/databases/mysql80-client/files/patch-scripts_CMakeLists.txt
  head/databases/mysql80-client/files/patch-sql_mysqld.cc
  head/databases/mysql80-client/files/patch-support-files_CMakeLists.txt
  head/databases/mysql80-client/pkg-plist
  head/databases/mysql80-server/Makefile
  head/databases/mysql80-server/distinfo
  head/databases/mysql80-server/files/patch-client_CMakeLists.txt
  head/databases/mysql80-server/files/patch-plugin_x_CMakeLists.txt
  head/databases/mysql80-server/files/patch-router_src_harness_CMakeLists.txt
  head/databases/mysql80-server/files/patch-sql_mysqld.cc
  head/databases/mysql80-server/pkg-plist
Comment 7 linus.sundqvist 2019-05-13 10:36:24 UTC
When can we expect these patches in the quarterly-branch?
Comment 8 commit-hook freebsd_committer 2019-05-13 19:28:30 UTC
A commit references this bug:

Author: mmokhi
Date: Mon May 13 19:27:32 UTC 2019
New revision: 501588
URL: https://svnweb.freebsd.org/changeset/ports/501588

Log:
  MFH: r500372

  databases/mysql56-{client, server}: Update to latest release 5.6.44
  This update includes
  Bugfix:
  - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES
      was not updated when adding an index
  - MySQL 5.6 did not build with maintainer mode enabled with GCC 7
  - A damaged mysql.user table could cause a server exit
  - mysqladmin shutdown did not wait for mysqld to shut down
  More info: https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-44.html

  Security Fix:
  CVE-2019-1559, CVE-2018-3123 and other fixes.
  More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL<Paste>

  PR:		237399
  Reported by:	Brent Busby <brent@jfi.uchicago.edu>
  Sponsored by:	The FreeBSD Foundation

  Approved by:	ports-secteam (feld, CVE-patch blanket)

Changes:
_U  branches/2019Q2/
  branches/2019Q2/databases/mysql56-server/Makefile
  branches/2019Q2/databases/mysql56-server/distinfo
  branches/2019Q2/databases/mysql56-server/files/patch-cmake_plugin.cmake
  branches/2019Q2/databases/mysql56-server/pkg-plist
Comment 9 commit-hook freebsd_committer 2019-05-13 19:30:35 UTC
A commit references this bug:

Author: mmokhi
Date: Mon May 13 19:30:24 UTC 2019
New revision: 501589
URL: https://svnweb.freebsd.org/changeset/ports/501589

Log:
  MFH: r500373

  databases/mysql57-{client, server}: Update to latest release 5.7.26
  This update includes:
  Bugfix:
  - InnoDB: Optimized internal temporary tables did not support
      in-place UPDATE operations
  - InnoDB: A function called by a CREATE TABLE thread attempted access after free()
  - InnoDB: The INDEX_LENGTH value in INFORMATION_SCHEMA.TABLES
      was not updated when adding an index
  - The authentication_ldap_simple plugin could enforce authentication incorrectly
  More info: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html

  Security Fix:
  CVE-2019-2632, CVE-2019-1559, CVE-2018-3123, and other fixes.
  More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL

  PR:		237399
  Reported by:	Brent Busby <brent@jfi.uchicago.edu>
  Sponsored by:	The FreeBSD Foundation

  Approved by:	ports-secteam (feld, CVE-patch blanket)

Changes:
_U  branches/2019Q2/
  branches/2019Q2/databases/mysql57-client/files/patch-cmake_plugin.cmake
  branches/2019Q2/databases/mysql57-server/Makefile
  branches/2019Q2/databases/mysql57-server/distinfo
  branches/2019Q2/databases/mysql57-server/files/patch-cmake_plugin.cmake
  branches/2019Q2/databases/mysql57-server/files/patch-rapid_plugin_x_CMakeLists.txt
  branches/2019Q2/databases/mysql57-server/pkg-plist
Comment 10 commit-hook freebsd_committer 2019-05-13 19:33:40 UTC
A commit references this bug:

Author: mmokhi
Date: Mon May 13 19:33:32 UTC 2019
New revision: 501591
URL: https://svnweb.freebsd.org/changeset/ports/501591

Log:
  MFH: r501261

  databases/mysql80-{client, server}: Update to latest release 8.0.16

  This update includes:
  Bugfixes:
  - InnoDB: Undo tablespaces remained unencrypted after enabling
      undo tablespace encryption at startup. (Bug #29477795)
  - InnoDB: Problematic macros introduced with undo tablespace DDL support
      (Bug #29324132, Bug #94243).
  - InnoDB: Static thread local variables defined at the wrong scope
      were not released at thread exit. (Bug #29305186)
  -  Memory leaks discovered in the innochecksum  (Bug #28917614, Bug #93164).

  New features:
  - MySQL C API now supports asynchronous functions for
      nonblocking communication with the MySQL server.
  - MySQL now supports a new Chinese collation, utf8mb4_zh_0900_as_cs
  - CMake now causes the build process to link with the llvm lld linker
      for Clang if it is available.

  Security Fix:
  CVE-2019-2632, CVE-2019-2693, CVE-2019-2694, CVE-2019-2695 and other fixes.
  More info: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL

  PR:		237399
  Reported by:	Brent Busby <brent@jfi.uchicago.edu>
  Sponsored by:	The FreeBSD Foundation

  Approved by:	ports-secteam (feld, CVE-patch blanket)

Changes:
_U  branches/2019Q2/
  branches/2019Q2/databases/mysql80-client/files/patch-client_CMakeLists.txt
  branches/2019Q2/databases/mysql80-client/files/patch-include_CMakeLists.txt
  branches/2019Q2/databases/mysql80-client/files/patch-scripts_CMakeLists.txt
  branches/2019Q2/databases/mysql80-client/files/patch-sql_mysqld.cc
  branches/2019Q2/databases/mysql80-client/files/patch-support-files_CMakeLists.txt
  branches/2019Q2/databases/mysql80-client/pkg-plist
  branches/2019Q2/databases/mysql80-server/Makefile
  branches/2019Q2/databases/mysql80-server/distinfo
  branches/2019Q2/databases/mysql80-server/files/patch-client_CMakeLists.txt
  branches/2019Q2/databases/mysql80-server/files/patch-plugin_x_CMakeLists.txt
  branches/2019Q2/databases/mysql80-server/files/patch-router_src_harness_CMakeLists.txt
  branches/2019Q2/databases/mysql80-server/files/patch-sql_mysqld.cc
  branches/2019Q2/databases/mysql80-server/pkg-plist
Comment 11 Mahdi Mokhtari freebsd_committer freebsd_triage 2019-05-13 19:34:59 UTC
(In reply to linus.sundqvist from comment #7)
Thanks for the reminder dear linus, MFH'd as well :)