Date: Fri, 17 Jul 2015 14:45:46 +0200 From: Erwin Lansing <erwin@FreeBSD.org> To: Mark Felder <feld@feld.me> Cc: Alex Dupre <ale@FreeBSD.org>, ports-secteam@FreeBSD.org, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r392140 - head/databases/mysql56-server Message-ID: <20150717124545.GY63119@droso.dk> In-Reply-To: <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me> References: <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org> <20150717101036.GX63119@droso.dk> <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me>
next in thread | previous in thread | raw e-mail | index | archive | help
--Cp3Cp8fzgozWLBWL Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 17, 2015 at 05:30:47AM -0500, Mark Felder wrote: >=20 > > On Jul 17, 2015, at 05:10, Erwin Lansing <erwin@FreeBSD.org> wrote: > >=20 > > On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote: > >> Erwin Lansing wrote: > >>>> URL: https://svnweb.freebsd.org/changeset/ports/392140 > >>>>=20 > >>>> Log: > >>>> Update to 5.6.25 release. > >>>=20 > >>> Does this by any change fix this vulnerability? > >>=20 > >> No, probably they are not going to fix this "vulnerability" because, > >> even if it wasn't a great security choice and in fact it changed in > >> mysql 5.7, it was the intended and documented behavior: > >>=20 > >>=20 > >>> For MySQL client programs, this option permits but does not require t= he client to connect to the server using SSL. Therefore, this option is not= sufficient in itself to cause an SSL connection to be used. For example, i= f you specify this option for a client program but the server has not been = configured to enable SSL connections, the client falls back to an unencrypt= ed connection.=20 > >>=20 > >=20 > > Currently, the VuXML entry prohibits the installation of the mysql, mar= iadb, > > and percona servers in any version. Adding ports-secteam for advice on > > how to handle this situation. > >=20 >=20 > You're right, this entry is stopping all MySQL installations... However, = mariadb55 and mariadb10 could both be bumped to versions that are not affec= ted. >=20 > If we want to remove this blocker perhaps a pkg-install message would be = sufficient? >=20 That sounds like a good compromise, so users at least are aware of the issue and can take their precautions, without preventing them from installing. Erwin --=20 Erwin Lansing (o_ _o) http://droso.dk \\\_\ /_/// erwin@lansing.dk <____) (____> --Cp3Cp8fzgozWLBWL Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVaj4+VF75hSlwe7HAQq8BwgAo3pWMPVgD3D6zMYEOLOuD5IzWMloKTYv p6Bt3+I9/6lGlPKEQ7wvz1QUgfz7lFRAQebanMBvobHTJ4qpQSCLj/4I1OOjHV1x O66uQ100yxhYm6WTqOsS671+yTf4T0XbSkbVsYUcyUumTkjKhvsdm/i1Bd7nbur8 dFxNOptBp1AiU9IwWtkQnykorSYDCDMSXGokIPj5f6bUP6mze1VOv8/3l4gPNnqD QSx3uo4AYRbVttmZxgbZACA0sJhKzYR0A5WXjajIdYLmqt0wWFWUyP+uQrH97Iz1 PYcgibnXUDJN7BdhKxI/BXm4WDm1BElC6hDxEtty6XVkabnJMu77HA== =AjWt -----END PGP SIGNATURE----- --Cp3Cp8fzgozWLBWL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150717124545.GY63119>