Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Jul 2015 05:30:47 -0500
From:      Mark Felder <feld@feld.me>
To:        Erwin Lansing <erwin@FreeBSD.org>
Cc:        Alex Dupre <ale@FreeBSD.org>, ports-secteam@FreeBSD.org, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org
Subject:   Re: svn commit: r392140 - head/databases/mysql56-server
Message-ID:  <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me>
In-Reply-To: <20150717101036.GX63119@droso.dk>
References:  <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org> <20150717101036.GX63119@droso.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On Jul 17, 2015, at 05:10, Erwin Lansing <erwin@FreeBSD.org> wrote:
>=20
> On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote:
>> Erwin Lansing wrote:
>>>> URL: https://svnweb.freebsd.org/changeset/ports/392140
>>>>=20
>>>> Log:
>>>>  Update to 5.6.25 release.
>>>=20
>>> Does this by any change fix this vulnerability?
>>=20
>> No, probably they are not going to fix this "vulnerability" because,
>> even if it wasn't a great security choice and in fact it changed in
>> mysql 5.7, it was the intended and documented behavior:
>>=20
>>=20
>>> For MySQL client programs, this option permits but does not require =
the client to connect to the server using SSL. Therefore, this option is =
not sufficient in itself to cause an SSL connection to be used. For =
example, if you specify this option for a client program but the server =
has not been configured to enable SSL connections, the client falls back =
to an unencrypted connection.=20
>>=20
>=20
> Currently, the VuXML entry prohibits the installation of the mysql, =
mariadb,
> and percona servers in any version.  Adding ports-secteam for advice =
on
> how to handle this situation.
>=20

You're right, this entry is stopping all MySQL installations... However, =
mariadb55 and mariadb10 could both be bumped to versions that are not =
affected.

If we want to remove this blocker perhaps a pkg-install message would be =
sufficient?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F>