[debian-mysql] Bug#698068: MySQL 5.5.30 does not fix CVE-2012-4414, what to do next?

Clint Byrum spamaps at debian.org
Fri Mar 8 17:22:43 UTC 2013


Please refer to [1] as the rest of this message assumes the reader has
read the log thus far.

I have just now comitted MariaDB's test for CVE-2012-4414 to the SVN
repo where we maintain mysql-5.5 unstable packaging. The package fails
to build right now because this test fails.

Lifting the test out of the commit is easy. To lift the fix out, is much
more complicated. I know it can be done, because Percona did it in their
branch. But I do not have the time to commit to such a delicate operation.

So, we are left with some options:

1) Un-block unstable's 5.5.29 and let it proceed into testing, which
will fix several other CVE's. This will introduce CVE-2012-4414. Its a
lower priority fix, so this seems like a valid option if we are pressed
for time.

2) Somebody step up and give us a patch for 5.5.30 which fixes
CVE-2012-4414.  There's probably a commit in percona's tree somewhere
that can solve the issue with perhaps some fuzz to resolve.

3) Wait until 5.5.31 comes out, and pray that Oracle have actually fixed
this security vulnerability. They've been releasing patch versions on a
2-3 month pace, so we should be able to expect 5.5.31 by late April at
the latest. Its actually a good sign that the changelog for 5.5.31 [2]
has nothing in it. The security fixes are never enumerated there due to
Oracle's non-disclosure policy. We will end up shipping 5.5.31 in the
security pocket anyway.

This is as much "FYI" as "halp!" for the release team. Any advice is
appreciated.

Thank you

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698068
[2] http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-31.html



More information about the pkg-mysql-maint mailing list