|Summary:||<dev-db/mysql-5.1.53: Several vulnerabilities|
|Product:||Gentoo Security||Reporter:||Hanno Böck <hanno>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||344031, 347796|
Description Hanno Böck 2010-11-10 22:14:11 UTC
Three Security fixes in upstream changelog, no CVEs yet: Security Fix: The server crashed for assignment of values of types other than Geometry to items of type GeometryCollection (MultiPoint, MultiCurve, MultiSurface). Now the server checks the field type and fails with bad geometry value if it detects incorrect parameters. (Bug#55531) Security Fix: EXPLAIN EXTENDED caused a server crash with some prepared statements. (Bug#54494) Security Fix: In prepared-statement mode, EXPLAIN for a SELECT from a derived table caused a server crash. (Bug#54488) 5.1.52 is already in the tree, but not stabilized yet.
Comment 1 Robin Johnson 2010-11-11 00:32:30 UTC
Fun. I'm working on an 5.1.52-r1 for the hardened users still, and we can stabilize that.
Comment 2 Jorge Manuel B. S. Vicetto 2010-11-16 13:51:21 UTC
I've added a depend on the bug tracking the TEXTRELs on x86.
Comment 3 Tim Sammut (RETIRED) 2011-01-01 22:46:44 UTC
(In reply to comment #1) > Fun. > I'm working on an 5.1.52-r1 for the hardened users still, and we can stabilize > that. > I see in bug 344031 that 5.1.52-r1 and 5.1.53 are working for hardened users. Can we stabilize one of these to get these security fixes? And if so, which one? Thank you.
Comment 4 Robin Johnson 2011-01-03 04:58:28 UTC
No, not yet unfortunately. The TEXTREL fix broke the build on certain multilib setups.
Comment 5 Robin Johnson 2011-04-21 12:48:56 UTC
underling: I intend to ask for this stable in 1 week.
Comment 6 Tim Sammut (RETIRED) 2011-05-05 13:46:01 UTC
@robbat2, shall we move forward with stabilization of 5.1.52-r1?
Comment 7 Robin Johnson 2011-05-05 18:35:38 UTC
(In reply to comment #6) > @robbat2, shall we move forward with stabilization of 5.1.52-r1? The stablereq target is 5.1.56, nothing earlier.
Comment 8 Tim Sammut (RETIRED) 2011-05-06 15:43:22 UTC
(In reply to comment #7) > The stablereq target is 5.1.56, nothing earlier. Ok, great, thanks. For our future reference, 5.1.56 also includes this security fix (first fixed in 5.1.53): http://dev.mysql.com/doc/refman/5.1/en/news-5-1-53.html InnoDB Storage Engine: Security Fix: A failed CREATE TABLE statement for an InnoDB table could allocate memory that was never freed. (Bug #56947) Arches, please test and mark stable: =dev-db/mysql-5.1.56 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 9 Thomas Kahle (RETIRED) 2011-05-06 22:04:42 UTC
x86 stable. thanks
Comment 11 Agostino Sarubbo 2011-05-07 09:01:11 UTC
(In reply to comment #10) > posted bug 366289 and bug 366291 anyway works for me.
Comment 12 Robin Johnson 2011-05-07 19:20:55 UTC
To clarify: 1. As usual, the test instructions are included in the ebuild # Official test instructions: # USE='berkdb -cluster embedded extraengine perl ssl community' \ # FEATURES='test userpriv -usersandbox' \ # ebuild mysql-X.X.XX.ebuild \ # digest clean package 2. The warning about unused configure flags is a long-standing false positive from upstream's nested unrelated configure scripts. 3. The dodoc is fixed per bug #366289.
Comment 13 Markos Chandras (RETIRED) 2011-05-08 22:07:18 UTC
Comment 14 Ian Delaney (RETIRED) 2011-05-08 23:29:54 UTC
and64. used recommended use flags etc. Longest test suite so far. emerged ok. seems done
Comment 15 Markus Meier 2011-05-09 05:07:11 UTC
Comment 16 Jeroen Roovers (RETIRED) 2011-05-09 11:14:14 UTC
Stable for HPPA.
Comment 17 Kacper Kowalik (Xarthisius) (RETIRED) 2011-05-14 16:10:33 UTC
Comment 18 Raúl Porcel (RETIRED) 2011-05-14 19:29:18 UTC
Comment 19 Tim Sammut (RETIRED) 2011-05-14 20:02:30 UTC
Thanks, folks. GLSA Vote: Yes (with other MySQL bugs)
Comment 20 Stefan Behte (RETIRED) 2011-10-08 22:14:44 UTC
Vote: YES. Added to pending GLSA request.
Comment 21 GLSAMaker/CVETool Bot 2012-01-05 22:47:26 UTC
This issue was resolved and addressed in GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml by GLSA coordinator Tim Sammut (underling).