[debian-mysql] Bug#698068: MySQL 5.5.30 does not fix CVE-2012-4414, what to do next?
Clint Byrum
clint at ubuntu.com
Sat Mar 9 16:09:53 UTC 2013
On Mar 9, 2013, at 6:55, Kristian Nielsen <knielsen at knielsen-hq.org> wrote:
> Hi Clint,
>
>> I have just now comitted MariaDB's test for CVE-2012-4414 to the SVN
>> repo where we maintain mysql-5.5 unstable packaging. The package fails
>> to build right now because this test fails.
>
>> 2) Somebody step up and give us a patch for 5.5.30 which fixes
>> CVE-2012-4414. There's probably a commit in percona's tree somewhere
>> that can solve the issue with perhaps some fuzz to resolve.
>
> Do you want me to do such a patch?
>
> (It was I who fixed the bug in MariaDB).
>
> I should be able to prepare a patch quickly, but I only want to spend the time
> if it can be used by Debian.
>
Thanks so much for stepping up to help Kristian.
> Do I understand correctly that you need a patch against upstream MySQL 5.5.29?
>
> My idea would be to take basically the patch from MySQL 5.5.30 and backport it
> to MySQL 5.5.29, adding any missing bits from the MariaDB patch. So that
> maintenance is easier if/when a later MySQL version must be dropped into
> Debian. Does that sound ok?
>
MySQL 5.5.30 does not have a working fix. What it has fails the test. What we need is for the bad fix to be removed, and the Mariadb fix to
Be applied instead. 5.5.30 or 5.5.29 would be fine.
#debian-mysql on OFTC irc would be a good place to come discuss this too (SpamapS is my handle)
thanks again for the interest in helping!
More information about the pkg-mysql-maint
mailing list