[debian-mysql] Bug#704945: Bug#675872: mysql-server-5.1: CVE-2012-0882

Clint Byrum clint at ubuntu.com
Mon Apr 8 02:59:22 UTC 2013


On 2013-04-07 19:26, Michael Gilbert wrote:
> clone 675872 -1
> reassign -1 src:mysql-5.5
> 
> There still isn't much to go on about this issue, but all sign point
> to it still existing.  Note that redhat's mysql packages use openssl
> instead of yassl; altogether avoiding the uncertainties with yassl,
> which seems not very supported security-wise.  It may be wise to do
> the same for the Debian packages.
> 

What gave you the impression it is still existing? Oracle claims it was 
resolved in 5.5.22 and 5.1.62. Ubuntu has also marked it as resolved.

This seems like an uninformed opinion. yaSSL is quite well supported 
and this issue was addessed rather quickly. The yaSSL team responds 
quite rapidly to open CVE's, and even the most recent one, CVE-2013-1623 
[1] , is addressed in yaSSL (just not in an upstream release of MySQL 
yet).

OpenSSL is not an option until OpenSSL has granted a license exception 
for MySQL, something, AFAICT, they have not done. It is merely an 
opinion of RedHat that they don't need one, but Debian has taken an 
opposite position.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699886



More information about the pkg-mysql-maint mailing list