From owner-freebsd-ports@freebsd.org Sun May 2 02:03:43 2021 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1F9B55E0AE8; Sun, 2 May 2021 02:03:43 +0000 (UTC) (envelope-from curtis@orleans.occnc.com) Received: from mta5-tap0.andover.occnc.com (mta5-tap0.andover.occnc.com [IPv6:2600:2c00:b000:2500::151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mta5.andover.occnc.com", Issuer "OCCNC secondary CA (ca1a2a)" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FXqCK5Xltz3QJw; Sun, 2 May 2021 02:03:41 +0000 (UTC) (envelope-from curtis@orleans.occnc.com) Received: from harbor2.v6cc2.occnc.com (harbor2-cc2.v6cc2.occnc.com [IPv6:2603:3005:5602:8af2::231]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) (Authenticated sender: curtis@occnc.com) by mta5-tap0.andover.occnc.com (Postfix) with ESMTPSA id C2A7E270F3; Sat, 1 May 2021 22:03:33 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orleans.occnc.com; s=curtis-orleans-20210422-132019; t=1619921013; bh=W5Zy486dAeG15ntgD3/mwPUYHbopSPsFTwqP55pQBT8=; h=To:cc:Reply-To:Subject:From:Date; b=NzFLaJNGtE9e3nwsF/XjXNvcvV8NzWGLHoz+oVO6gOwL87mn/KRam4bzpr4uDrtqg 67XGq0J3omaOMl9gUGt7Qk4f+JudCx3nTPBdMWRVmJxskTeUd2CibZAsiE+9wNhVgy 0SzJxfN9cU+b9CYKDpZM3gkhRuMP3eyKAi99f8+C2E2w6/pSCbHywUuGhtBbTSb3ml w2K6hY0ukMt711pFheTFAcBTAWqU6Wz+ZJTu8dPNHMeI2cnGbZjotAIgKayUEKKTnp f53Q8fIANRq5RCSHKXVWByOlnU/O/dmf/odhff+aAHea+FDu/TmINaHH97JTQ/Jl3X JBVKOJ2rSRVHA== To: joneum@FreeBSD.org, freebsd-database@freebsd.org, freebsd-ports@freebsd.org cc: Curtis Villamizar Reply-To: Curtis Villamizar Subject: From: Curtis Villamizar MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <53354.1619920975.1@harbor2-cc2.v6cc2.occnc.com> Date: Sat, 01 May 2021 22:02:55 -0400 X-Rspamd-Queue-Id: 4FXqCK5Xltz3QJw X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=pass header.d=orleans.occnc.com header.s=curtis-orleans-20210422-132019 header.b=NzFLaJNG; dmarc=none; spf=pass (mx1.freebsd.org: domain of curtis@orleans.occnc.com designates 2600:2c00:b000:2500::151 as permitted sender) smtp.mailfrom=curtis@orleans.occnc.com X-Spamd-Result: default: False [2.00 / 15.00]; HAS_REPLYTO(0.00)[curtis@orleans.occnc.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2600:2c00:b000:2500::/64]; DKIM_TRACE(0.00)[orleans.occnc.com:+]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2600:2c00:b000:2500::151:from]; ASN(0.00)[asn:7349, ipnet:2600:2c00:b000::/36, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[orleans.occnc.com:s=curtis-orleans-20210422-132019]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_SPAM_SHORT(1.00)[0.999]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[occnc.com]; SPAMHAUS_ZRD(0.00)[2600:2c00:b000:2500::151:from:127.0.2.255]; MISSING_MID(2.50)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; EMPTY_SUBJECT(1.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-database,freebsd-ports] X-Mailman-Approved-At: Mon, 03 May 2021 05:23:34 +0000 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 May 2021 02:03:43 -0000 The ports collection still has MySQL server versions 5.7.33 and 8.0.23. The VuXML database has had an entry for mysql since April 20 that affects mysql57-server < 5.7.34 and mysql80-server < 8.0.24. It sounds rather severe: This Critical Patch Update contains 49 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8. See http://vuxml.freebsd.org/freebsd/56ba4513-a1be-11eb-9072-d4c9ef517024.html Any idea when the port will be updated? It might be good to update this promptly just in case someone wants to run some sort of serious mysql application in production. Curtis ps - I copied freebsd-ports since there is no recent activity on freebsd-database other than some spam in January and the mailing list appears to be unused. And btw - yes I know to update using git.