133354 – GLSA 200605-13 states wrong unaffected version of MySQL

Bug 133354 - GLSA 200605-13 states wrong unaffected version of MySQL

Summary: GLSA 200605-13 states wrong unaffected version of MySQL

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Other

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-05-15 00:13 UTC by Christian Gut
Modified:	2006-05-16 13:37 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Gut 2006-05-15 00:13:33 UTC

According to the original Advisory
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-05/msg00041.html

4.0.27 is unaffected. GLSA states, that only greater than 4.0.27 is unaffected which leads to all users upgrading to 4.1.x.

The following diff fixes the GLSA:
--- /usr/portage/metadata/glsa/glsa-200605-13.xml~      2006-05-13 17:37:08.000000000 +0200
+++ /usr/portage/metadata/glsa/glsa-200605-13.xml       2006-05-15 09:10:37.291875064 +0200
@@ -16,7 +16,7 @@
   <affected>
     <package name="dev-db/mysql" auto="yes" arch="*">
       <unaffected range="ge">4.1.19</unaffected>
-      <unaffected range="rgt">4.0.27</unaffected>
+      <unaffected range="rge">4.0.27</unaffected>
       <vulnerable range="lt">4.1.19</vulnerable>
     </package>
   </affected>

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-15 00:35:47 UTC

Fixed in CVS. Thanks for the notification. Policy says no GLSA errata, but since this forces a major upgrade I'd like to hear opinions.

Comment 2 Christian Gut 2006-05-15 01:57:56 UTC

Oh and one thing I forgot: Should we fix the resolution section? It also states the major upgrade. Don't actually know how the revisions should be handled there.

As its not too long since this GLSA went public, I think an errata could help users.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-15 02:28:49 UTC

Resolution also fixed in CVS.

Geez I need more coffee :-/

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2006-05-15 09:35:54 UTC

We could use a new release yes. I would rather do a GLSA update to specify additional fixed version rather than a GLSA errata (because it's not an error needing a an errata GLSA according to policy)

Comment 5 Christian Gut 2006-05-15 10:24:12 UTC

Update seems ok to me, since it is a change in a positive way (more versions are unaffected).

Is that policy, you are speaking about, documented somewhere?

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-15 12:24:23 UTC

Indeed it is documented.

Vulnerability Treatment Policy:
http://www.gentoo.org/security/en/vulnerability-policy.xml

In part supplemented by the GLSA Coordinator Guide:
http://www.gentoo.org/security/en/coordinator_guide.xml

Comment 7 Stefan Cornelius (RETIRED) gentoo-dev

2006-05-15 13:17:29 UTC

let's wait for all arches to stable, then we should send an update imho

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-15 23:58:50 UTC

All stable and ready for an update decision.

The situation is that the original resolution send in the GLSA forces a major upgrade to 4.1 for 4.0 users. This has already been fixed in CVS yesterday, so glsa-check users are safe.

Security please comment as policy is a bit vague on this point.

Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-16 02:04:31 UTC

i would vote for a glsa update, which seems fine in this case.

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2006-05-16 09:24:33 UTC

+1 for GLSA update

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-16 13:37:16 UTC

GLSA 200605-13 updated and reissued.

Thx for the notification Christian.