Glsa states that only MySQL 5.6 / MariaDB 10.0 are not vulnerable, however series 5.5 are also still supported and maintained.
MySQL team, what's your take on this? 5.5 is package.mask'ed. Was this done by your choice or because upstream doesn't support it anymore?
(In reply to Tobias Heinlein from comment #1) > ... or because upstream doesn't support it anymore? Both MySQL 5.5 and MariaDB 5.5 are still supported.
(In reply to Tobias Heinlein from comment #1) > MySQL team, what's your take on this? 5.5 is package.mask'ed. Was this done > by your choice or because upstream doesn't support it anymore? The 5.5 series was not put in package.mask but the keywords were dropped to ~arch. This was done because 1) 5.5 was not converted to multilib 2) not to put extra stress on the arch teams when a better version was available. It is true that the 5.5 series are still getting security updates.
I'm fine with setting a current version of 5.5 series as unaffected in the GLSA, no need to stabilize 5.5.
> The 5.5 series was not put in package.mask but the keywords were dropped to > ~arch. This was done because 1) 5.5 was not converted to multilib 2) not to > put extra stress on the arch teams when a better version was available. > > It is true that the 5.5 series are still getting security updates. Does 5.5.43 contain the latest security fixes? Bug 546722?
(In reply to Yury German from comment #5) > Does 5.5.43 contain the latest security fixes? Bug 546722? Checking the Oracle MySQL Risk Matrix it seems 5.5.43 is unaffected, the vulnerable versions are 5.5.42 and earlier.
On a system with the latest 5.5.45 (not vulnerable) I get: 201504-05 [N] [remote ] MySQL and MariaDB: Multiple vulnerabilities ( dev-db/mariadb dev-db/mysql-5.5.45 ) 201507-19 [N] [remote ] MySQL: Multiple vulnerabilities ( dev-db/mysql-5.5.45 )
