From owner-svn-ports-head@freebsd.org Fri Jul 17 10:30:50 2015 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8DD929A281C for ; Fri, 17 Jul 2015 10:30:50 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5BE4B1104 for ; Fri, 17 Jul 2015 10:30:50 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 9BBA520976 for ; Fri, 17 Jul 2015 06:30:48 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute6.internal (MEProxy); Fri, 17 Jul 2015 06:30:48 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=Y/NVA6NaM95DZAOm4dQG6Fm+xlg=; b=xbAdz5 +qG200SsHZM1dMNAawHC3C5EEkgX+J+sfCB2/3pG6hLFalOPPiDck9EOYbpb5xHR kmGpfS9/FREfozZuLylbnVgxGWowqcuaEiD6LQN7egcNTWGoUB1xD3HztWPZ0kdf TyBQdFkjTTTPljN5jiyBYxtfag58lu5bCz7QM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=Y/NVA6NaM95DZAO m4dQG6Fm+xlg=; b=Rxeu6efwk8T/GWpS50bU63Eq5blgM9tf/BhxPHxSsS4vRLX WWZCNUpUSjFMV8ebk0nK1f4D5+BKrB4XhSRrxgQKW2hd4b7XlXfK//NPnA1llBts hXbaM+wUnBvUPIUQFbdqFHGjGyjQ/HVNFXm1xcnsUbE5YsdVxvhAmXHrbajI= X-Sasl-enc: V7W9+67sUuDrMnN/6dSw8ev6pEjHakyPXqznUiQcEBKy 1437129048 Received: from [172.16.1.118] (68-117-126-78.static.mdsn.wi.charter.com [68.117.126.78]) by mail.messagingengine.com (Postfix) with ESMTPA id 1FB6CC00027; Fri, 17 Jul 2015 06:30:48 -0400 (EDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Subject: Re: svn commit: r392140 - head/databases/mysql56-server From: Mark Felder In-Reply-To: <20150717101036.GX63119@droso.dk> Date: Fri, 17 Jul 2015 05:30:47 -0500 Cc: Alex Dupre , ports-secteam@FreeBSD.org, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <77EB147A-D6C1-4D3B-9CF6-6E4793F0EA0F@feld.me> References: <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org> <20150717101036.GX63119@droso.dk> To: Erwin Lansing X-Mailer: Apple Mail (2.2102) X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 10:30:50 -0000 > On Jul 17, 2015, at 05:10, Erwin Lansing wrote: >=20 > On Fri, Jul 17, 2015 at 11:56:08AM +0200, Alex Dupre wrote: >> Erwin Lansing wrote: >>>> URL: https://svnweb.freebsd.org/changeset/ports/392140 >>>>=20 >>>> Log: >>>> Update to 5.6.25 release. >>>=20 >>> Does this by any change fix this vulnerability? >>=20 >> No, probably they are not going to fix this "vulnerability" because, >> even if it wasn't a great security choice and in fact it changed in >> mysql 5.7, it was the intended and documented behavior: >>=20 >>=20 >>> For MySQL client programs, this option permits but does not require = the client to connect to the server using SSL. Therefore, this option is = not sufficient in itself to cause an SSL connection to be used. For = example, if you specify this option for a client program but the server = has not been configured to enable SSL connections, the client falls back = to an unencrypted connection.=20 >>=20 >=20 > Currently, the VuXML entry prohibits the installation of the mysql, = mariadb, > and percona servers in any version. Adding ports-secteam for advice = on > how to handle this situation. >=20 You're right, this entry is stopping all MySQL installations... However, = mariadb55 and mariadb10 could both be bumped to versions that are not = affected. If we want to remove this blocker perhaps a pkg-install message would be = sufficient?