From owner-svn-ports-all@freebsd.org Fri Jul 17 13:52:12 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 879FF9A462A for ; Fri, 17 Jul 2015 13:52:12 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 474CE1E00 for ; Fri, 17 Jul 2015 13:52:12 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 8900220CD5 for ; Fri, 17 Jul 2015 09:52:10 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Fri, 17 Jul 2015 09:52:10 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=ZFe5nztJrDZSd6vI1fwmxiSuiXk=; b=h6KTkz xdnBpGyP8zgKPmsoKiBAX9SqUm1JtaHJDjpCUnQCyMgdSlfmjzGviJp5FHBKwonh DpppFXf5YnVtBt0b/zGBE1tP21cs54mxfBugz5KKEV7St+DmNVVk+35AiS5mh22L Rxis8e+cNLbBndFlS8Xg+X70Fty3MrQJOmOWM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=ZFe5nztJrDZSd6v I1fwmxiSuiXk=; b=mcaEwzRWeyTu7WQ1us6Nc0V1t7lCAv/wg/S0LZqBU8QqHzt a2imjl5Lg0R7F5pjXaVpWJkmtvYgWdGaDgCKQ4r2hRTGs7NCSh8jNUCUxTzCF5Si J+qLu3rN+U0/T39R0QnJ5ccnU7fuWqpM0sSR0UirAjrIQmdCTI5okt7I5QjI= Received: by web3.nyi.internal (Postfix, from userid 99) id 5FFC310DF8D; Fri, 17 Jul 2015 09:52:10 -0400 (EDT) Message-Id: <1437141130.3630805.326264393.3E18DDC3@webmail.messagingengine.com> X-Sasl-Enc: OFRO8+jFh6lflBE6xOl5+EFiia/lGrPQHkexWcX00yBh 1437141130 From: Mark Felder To: Erwin Lansing Cc: Alex Dupre , ports-secteam@FreeBSD.org, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-63a5d8c6 Subject: Re: svn commit: r392140 - head/databases/mysql56-server Date: Fri, 17 Jul 2015 08:52:10 -0500 In-Reply-To: <20150717124545.GY63119@droso.dk> References: <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org> <20150717101036.GX63119@droso.dk> <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me> <20150717124545.GY63119@droso.dk> X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 13:52:12 -0000 On Fri, Jul 17, 2015, at 07:45, Erwin Lansing wrote: > On Fri, Jul 17, 2015 at 05:30:47AM -0500, Mark Felder wrote: > > > > > On Jul 17, 2015, at 05:10, Erwin Lansing wrote: > > > > > > On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote: > > >> Erwin Lansing wrote: > > >>>> URL: https://svnweb.freebsd.org/changeset/ports/392140 > > >>>> > > >>>> Log: > > >>>> Update to 5.6.25 release. > > >>> > > >>> Does this by any change fix this vulnerability? > > >> > > >> No, probably they are not going to fix this "vulnerability" because, > > >> even if it wasn't a great security choice and in fact it changed in > > >> mysql 5.7, it was the intended and documented behavior: > > >> > > >> > > >>> For MySQL client programs, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to enable SSL connections, the client falls back to an unencrypted connection. > > >> > > > > > > Currently, the VuXML entry prohibits the installation of the mysql, mariadb, > > > and percona servers in any version. Adding ports-secteam for advice on > > > how to handle this situation. > > > > > > > You're right, this entry is stopping all MySQL installations... However, mariadb55 and mariadb10 could both be bumped to versions that are not affected. > > > > If we want to remove this blocker perhaps a pkg-install message would be sufficient? > > > > That sounds like a good compromise, so users at least are aware of the > issue and can take their precautions, without preventing them from > installing. > In order to get the pkg-install message distributed we will have to bump PORTREVISION. Any objections?