CVE-2008-4456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456): Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document.
This bug is ancient! I think we should remove the versions from the tree. What does the MySQL herd think?
judging from the heinlich advisory, versions newer than 5.0.45 are also affected: http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability
Seems that the initial bug request was for 5.0.37, 5.0.26, 5.0.45, but wasn't reviewed/pushed until now.
I'll try to include the patch with 5.0.68. Security: FYI, I consider this really low danger, there were enough other breakages of the HTML and XML command-line output that they are practically unused.
I also thought so, but forgot to change prio, d'oh. :/ Where did the Status Whiteboard go? I was absolutely sure I filled out THAT. Oh well...
Robin, you added a blocker on bug 246652 -- is this bug fixed in 5.0.70 ?
Sorry, this one isn't fixed in 5.0.70 it seems. I'll update the patchset for 5.0.72 shortly, just interacting with upstream on one new bug on 5.0.72
It's in the tree as mysql-5.0.70-r1 now. Stabilization is in bug 246652.
Read to vote, I vote YES (we have request for mysql already and this could be added)
ack, added.
This issue was resolved and addressed in GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml by GLSA coordinator Tim Sammut (underling).