From owner-svn-ports-head@freebsd.org Fri Jul 17 12:45:52 2015 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68F009A2AC1; Fri, 17 Jul 2015 12:45:52 +0000 (UTC) (envelope-from erwin@mail.droso.net) Received: from mail.droso.net (koala.droso.dk [213.239.220.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C2291C4B; Fri, 17 Jul 2015 12:45:51 +0000 (UTC) (envelope-from erwin@mail.droso.net) Received: by mail.droso.net (Postfix, from userid 1001) id 22B1F20C41; Fri, 17 Jul 2015 14:45:46 +0200 (CEST) Date: Fri, 17 Jul 2015 14:45:46 +0200 From: Erwin Lansing To: Mark Felder Cc: Alex Dupre , ports-secteam@FreeBSD.org, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r392140 - head/databases/mysql56-server Message-ID: <20150717124545.GY63119@droso.dk> References: <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org> <20150717101036.GX63119@droso.dk> <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Cp3Cp8fzgozWLBWL" Content-Disposition: inline In-Reply-To: <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me> X-Operating-System: FreeBSD/amd64 9.3-RELEASE-p5 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 12:45:52 -0000 --Cp3Cp8fzgozWLBWL Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 17, 2015 at 05:30:47AM -0500, Mark Felder wrote: >=20 > > On Jul 17, 2015, at 05:10, Erwin Lansing wrote: > >=20 > > On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote: > >> Erwin Lansing wrote: > >>>> URL: https://svnweb.freebsd.org/changeset/ports/392140 > >>>>=20 > >>>> Log: > >>>> Update to 5.6.25 release. > >>>=20 > >>> Does this by any change fix this vulnerability? > >>=20 > >> No, probably they are not going to fix this "vulnerability" because, > >> even if it wasn't a great security choice and in fact it changed in > >> mysql 5.7, it was the intended and documented behavior: > >>=20 > >>=20 > >>> For MySQL client programs, this option permits but does not require t= he client to connect to the server using SSL. Therefore, this option is not= sufficient in itself to cause an SSL connection to be used. For example, i= f you specify this option for a client program but the server has not been = configured to enable SSL connections, the client falls back to an unencrypt= ed connection.=20 > >>=20 > >=20 > > Currently, the VuXML entry prohibits the installation of the mysql, mar= iadb, > > and percona servers in any version. Adding ports-secteam for advice on > > how to handle this situation. > >=20 >=20 > You're right, this entry is stopping all MySQL installations... However, = mariadb55 and mariadb10 could both be bumped to versions that are not affec= ted. >=20 > If we want to remove this blocker perhaps a pkg-install message would be = sufficient? >=20 That sounds like a good compromise, so users at least are aware of the issue and can take their precautions, without preventing them from installing. Erwin --=20 Erwin Lansing (o_ _o) http://droso.dk \\\_\ /_/// erwin@lansing.dk <____) (____> --Cp3Cp8fzgozWLBWL Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVaj4+VF75hSlwe7HAQq8BwgAo3pWMPVgD3D6zMYEOLOuD5IzWMloKTYv p6Bt3+I9/6lGlPKEQ7wvz1QUgfz7lFRAQebanMBvobHTJ4qpQSCLj/4I1OOjHV1x O66uQ100yxhYm6WTqOsS671+yTf4T0XbSkbVsYUcyUumTkjKhvsdm/i1Bd7nbur8 dFxNOptBp1AiU9IwWtkQnykorSYDCDMSXGokIPj5f6bUP6mze1VOv8/3l4gPNnqD QSx3uo4AYRbVttmZxgbZACA0sJhKzYR0A5WXjajIdYLmqt0wWFWUyP+uQrH97Iz1 PYcgibnXUDJN7BdhKxI/BXm4WDm1BElC6hDxEtty6XVkabnJMu77HA== =AjWt -----END PGP SIGNATURE----- --Cp3Cp8fzgozWLBWL--