svn commit: r392140 - head/databases/mysql56-server

Erwin Lansing erwin at FreeBSD.org
Tue Jul 21 09:22:14 UTC 2015 

On Mon, Jul 20, 2015 at 09:25:02AM -0500, Mark Felder wrote:
> 
> 
> On Fri, Jul 17, 2015, at 08:52, Mark Felder wrote:
> > 
> > 
> > On Fri, Jul 17, 2015, at 07:45, Erwin Lansing wrote:
> > > On Fri, Jul 17, 2015 at 05:30:47AM -0500, Mark Felder wrote:
> > > > 
> > > > > On Jul 17, 2015, at 05:10, Erwin Lansing <erwin at FreeBSD.org> wrote:
> > > > > 
> > > > > On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote:
> > > > >> Erwin Lansing wrote:
> > > > >>>> URL: https://svnweb.freebsd.org/changeset/ports/392140
> > > > >>>> 
> > > > >>>> Log:
> > > > >>>>  Update to 5.6.25 release.
> > > > >>> 
> > > > >>> Does this by any change fix this vulnerability?
> > > > >> 
> > > > >> No, probably they are not going to fix this "vulnerability" because,
> > > > >> even if it wasn't a great security choice and in fact it changed in
> > > > >> mysql 5.7, it was the intended and documented behavior:
> > > > >> 
> > > > >> 
> > > > >>> For MySQL client programs, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to enable SSL connections, the client falls back to an unencrypted connection. 
> > > > >> 
> > > > > 
> > > > > Currently, the VuXML entry prohibits the installation of the mysql, mariadb,
> > > > > and percona servers in any version.  Adding ports-secteam for advice on
> > > > > how to handle this situation.
> > > > > 
> > > > 
> > > > You're right, this entry is stopping all MySQL installations... However, mariadb55 and mariadb10 could both be bumped to versions that are not affected.
> > > > 
> > > > If we want to remove this blocker perhaps a pkg-install message would be sufficient?
> > > > 
> > > 
> > > That sounds like a good compromise, so users at least are aware of the
> > > issue and can take their precautions, without preventing them from
> > > installing.
> > > 
> > 
> > In order to get the pkg-install message distributed we will have to bump
> > PORTREVISION. Any objections?
> > 
> 
> This was completed. Let me know if I've created any fires, but I
> couldn't see any.
> 

Thanks Mark!

-- 
Erwin Lansing                                    http://droso.dk
erwin at FreeBSD.org                        http:// www.FreeBSD.org

More information about the svn-ports-head mailing list