svn commit: r392140 - head/databases/mysql56-server
Erwin Lansing
erwin at FreeBSD.org
Fri Jul 17 12:45:52 UTC 2015
On Fri, Jul 17, 2015 at 05:30:47AM -0500, Mark Felder wrote:
>
> > On Jul 17, 2015, at 05:10, Erwin Lansing <erwin at FreeBSD.org> wrote:
> >
> > On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote:
> >> Erwin Lansing wrote:
> >>>> URL: https://svnweb.freebsd.org/changeset/ports/392140
> >>>>
> >>>> Log:
> >>>> Update to 5.6.25 release.
> >>>
> >>> Does this by any change fix this vulnerability?
> >>
> >> No, probably they are not going to fix this "vulnerability" because,
> >> even if it wasn't a great security choice and in fact it changed in
> >> mysql 5.7, it was the intended and documented behavior:
> >>
> >>
> >>> For MySQL client programs, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to enable SSL connections, the client falls back to an unencrypted connection.
> >>
> >
> > Currently, the VuXML entry prohibits the installation of the mysql, mariadb,
> > and percona servers in any version. Adding ports-secteam for advice on
> > how to handle this situation.
> >
>
> You're right, this entry is stopping all MySQL installations... However, mariadb55 and mariadb10 could both be bumped to versions that are not affected.
>
> If we want to remove this blocker perhaps a pkg-install message would be sufficient?
>
That sounds like a good compromise, so users at least are aware of the
issue and can take their precautions, without preventing them from
installing.
Erwin
--
Erwin Lansing (o_ _o) http://droso.dk
\\\_\ /_///
erwin at lansing.dk <____) (____>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 465 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-ports-all/attachments/20150717/0a8e00ab/attachment.bin>
More information about the svn-ports-all
mailing list