Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 271686

Summary: <=dev-db/mysql-5.0.42 removal for GLSA 200809-04
Product: Gentoo Linux Reporter: Robert Buchholz (RETIRED) <rbu>
Component: New packagesAssignee: Gentoo Linux MySQL bugs team <mysql-bugs>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 271670    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 13:31:09 UTC 
Please remove the following ebuilds as they are vulnerable to GLSA 200809-04
( http://www.gentoo.org/security/en/glsa/glsa-200809-04.xml ) :

=dev-db/mysql-4.1.22-r1
=dev-db/mysql-5.0.44-r1
=dev-db/mysql-5.0.44-r2
=dev-db/mysql-4.0.27-r1
=dev-db/mysql-5.0.26-r2
=dev-db/mysql-5.0.54
=dev-db/mysql-5.0.40
=dev-db/mysql-5.0.38
=dev-db/mysql-5.0.42


Note that other (unstable) atoms might be missing from this list that are
vulnerable to the same GLSA. Please remove those as well.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 13:32:43 UTC 
Note there is also GLSA 200804-04, GLSA 200711-25, GLSA 200711-25 and GLSA 200705-11 affecting some of these versions.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-05-29 18:59:52 UTC 
- I will NOT remove =dev-db/mysql-4.1.22-r1 as it exists for users that can't upgrade to a newer series for other reasons.
- I'm loath to remove other old versions as well, as they have been very useful in tracing where bugs were introduced by upstream. Removing the ebuilds means the patch tarballs are going to start to vanish off the mirrors, making it hard for users to just recover the ebuild for testing.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-30 19:06:06 UTC 
As you point out, it's benificial for users to have those old ebuilds around. Can we make it more apparant that they are not supported anymore then? That is, remove keywords or package mask them, stating that the packages should not be used in public/production environments?
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-05-30 19:17:45 UTC 
I'm fine with package.mask of the old ones.
Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-28 14:31:23 UTC 
# Jeremy Olexa <darkside@gentoo.org> (28 Jul 2009)
# On behalf of Robin H. Johnson <robbat2@gentoo.org>.
# These versions are vulnerable to GLSA's and should not be used. They will stay
# in the tree because they are useful to tracking down bugs. You have been
# warned.
<dev-db/mysql-5.0.60-r1

I went with 5.0.60-r1, because that is what the GLSA said even though it was different than this bug title. http://www.gentoo.org/security/en/glsa/glsa-200809-04.xml

This bug can be resolved after Robin takes a look as the maintainer.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-07-28 19:46:42 UTC 
The package.mask is fine, closing bug, not removing old packages.
Comment 7 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-29 15:24:55 UTC 
had to mask virtuals as well.

# Jeremy Olexa <darkside@gentoo.org> (28 Jul 2009)
# On behalf of Robin H. Johnson <robbat2@gentoo.org>.
# These versions are vulnerable to GLSA's and should not be used. They will stay
# in the tree because they are useful to tracking down bugs. You have been
# warned. bug 271686
<dev-db/mysql-5.0.60-r1
<virtual/mysql-5.