From owner-freebsd-ports@FreeBSD.ORG Sat Sep 27 07:43:57 2008 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24DC2106568A for ; Sat, 27 Sep 2008 07:43:57 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id BF8F78FC0C for ; Sat, 27 Sep 2008 07:43:56 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id E7F6328449 for ; Sat, 27 Sep 2008 15:43:55 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 7B0E0F67D6F; Sat, 27 Sep 2008 15:43:55 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id 0AMtLd91kXuf; Sat, 27 Sep 2008 15:43:50 +0800 (CST) Received: from delta.delphij.net (c-76-103-40-85.hsd1.ca.comcast.net [76.103.40.85]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 67213F67BD2; Sat, 27 Sep 2008 15:43:49 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=INOsTy8voLLg6hvlJ0HiGcT5hpcDO3NCtkQBlNtLI+IzRnxXEZNvlmB8NenQUmavy rHNZkoHXgbT7zd3OZQ4zQ== Message-ID: <48DDE42D.3050006@delphij.net> Date: Sat, 27 Sep 2008 00:43:41 -0700 From: Xin LI Organization: The Geek China Organization User-Agent: Thunderbird 2.0.0.17 (X11/20080926) MIME-Version: 1.0 To: Andrew Daugherity References: <48DA385B.2389.00F2.0@vprmail.tamu.edu> In-Reply-To: <48DA385B.2389.00F2.0@vprmail.tamu.edu> X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ports@freebsd.org Subject: Re: feasibility of updating databases/mysql41-server? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2008 07:43:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Daugherity wrote: > I still have a server running mysql 4.1.22, and it's marked as having the "MyISAM table privileges secuity [sic] bypass vulnerability". According to CVE-2008-2079 (linked from portaudit), this is fixed in 4.1.24. > > I was going to file a PR asking for an update to 4.1.24, but then I discovered that MySQL 4.1 is in the "extended support" phase where they aren't releasing tarballs any more (and of course no binaries). The source *is* still available, but it's in the bazaar repo (see: http://blogs.sun.com/datacharmer/entry/hidden_jevewls_in_mysql_bazaar ). This can be checked out and built, but having a build-dep of bzr is probably not wanted. > > Is it feasible (both license-wise and technically) to have a mirror of a 4.1.24 bzr checkout in tarball form somewhere, so the port can be built? Yes, but for this case I think the more preferred way would be to obtain the fix from repository and apply it in files/ as a patch. This makes reviewing the code much easier. Cheers, -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjd5C0ACgkQi+vbBBjt66CQ6wCbBYJAysE7YzcCaHwRyvcVfuya GnMAnjAIHEgf5ABw2/57dmWnIy1I+ocn =WZdp -----END PGP SIGNATURE-----