Date: Tue, 21 Jul 2015 11:22:09 +0200 From: Erwin Lansing <erwin@FreeBSD.org> To: Mark Felder <feld@feld.me> Cc: Alex Dupre <ale@FreeBSD.org>, ports-secteam@FreeBSD.org, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r392140 - head/databases/mysql56-server Message-ID: <20150721092208.GU63119@droso.dk> In-Reply-To: <1437402302.2488388.328231881.4A5FC74D@webmail.messagingengine.com> References: <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org> <20150717101036.GX63119@droso.dk> <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me> <20150717124545.GY63119@droso.dk> <1437141130.3630805.326264393.3E18DDC3@webmail.messagingengine.com> <1437402302.2488388.328231881.4A5FC74D@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 20, 2015 at 09:25:02AM -0500, Mark Felder wrote: > > > On Fri, Jul 17, 2015, at 08:52, Mark Felder wrote: > > > > > > On Fri, Jul 17, 2015, at 07:45, Erwin Lansing wrote: > > > On Fri, Jul 17, 2015 at 05:30:47AM -0500, Mark Felder wrote: > > > > > > > > > On Jul 17, 2015, at 05:10, Erwin Lansing <erwin@FreeBSD.org> wrote: > > > > > > > > > > On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote: > > > > >> Erwin Lansing wrote: > > > > >>>> URL: https://svnweb.freebsd.org/changeset/ports/392140 > > > > >>>> > > > > >>>> Log: > > > > >>>> Update to 5.6.25 release. > > > > >>> > > > > >>> Does this by any change fix this vulnerability? > > > > >> > > > > >> No, probably they are not going to fix this "vulnerability" because, > > > > >> even if it wasn't a great security choice and in fact it changed in > > > > >> mysql 5.7, it was the intended and documented behavior: > > > > >> > > > > >> > > > > >>> For MySQL client programs, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to enable SSL connections, the client falls back to an unencrypted connection. > > > > >> > > > > > > > > > > Currently, the VuXML entry prohibits the installation of the mysql, mariadb, > > > > > and percona servers in any version. Adding ports-secteam for advice on > > > > > how to handle this situation. > > > > > > > > > > > > > You're right, this entry is stopping all MySQL installations... However, mariadb55 and mariadb10 could both be bumped to versions that are not affected. > > > > > > > > If we want to remove this blocker perhaps a pkg-install message would be sufficient? > > > > > > > > > > That sounds like a good compromise, so users at least are aware of the > > > issue and can take their precautions, without preventing them from > > > installing. > > > > > > > In order to get the pkg-install message distributed we will have to bump > > PORTREVISION. Any objections? > > > > This was completed. Let me know if I've created any fires, but I > couldn't see any. > Thanks Mark! -- Erwin Lansing http://droso.dk erwin@FreeBSD.org http:// www.FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150721092208.GU63119>