Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 185333 - dev-db/mysql-{5.044,community-5.0.45}: security fixes (CVE-2007-378[01])
Summary: dev-db/mysql-{5.044,community-5.0.45}: security fixes (CVE-2007-378[01])
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 185506 (view as bug list)
Depends on:
Reported: 2007-07-14 17:22 UTC by Hanno Boeck
Modified: 2011-10-30 22:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck gentoo-dev 2007-07-14 17:22:40 UTC
From changelog: 
Security fix: A malformed password packet in the connection protocol could cause the server to crash. Thanks for Dormando for reporting this bug and providing details and a proof of concept. (Bug#28984) 
Security Fix: CREATE TABLE LIKE did not require any privileges on the source table. Now it requires the SELECT privilege. (Bug#25578) 
 In addition, CREATE TABLE LIKE was not isolated from alteration by other connections, which resulted in various errors and incorrect binary log order when trying to execute concurrently a CREATE TABLE LIKE statement and either DDL statements on the source table or DML or DDL statements on the target table. (Bug#23667)
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-07-14 20:48:45 UTC
Please try get the package version matrix right. The fixes/issues are in the upstream releases that I corrected the summary to.

We have enterprise 5.0.44 in the tree already, but not community 5.0.45.
I'll try to have the new community version in the tree before the end of the weekend.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-07-15 00:32:35 UTC
community-5.0.45 in CVS now.
I'll post testing instructions for arches in a moment.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-07-15 00:42:47 UTC
Testing procedures:
FEATURES='userpriv test' USE='ssl cluster extraengine' emerge =mysql-5.0.44
FEATURES='userpriv test' USE='ssl cluster extraengine' emerge =mysql-community-5.0.45

There should be _no_ failures at all this time. All past failures accounted for and handled. I can complete the tests on my machines (ppc64-32ul, x86, amd64).

Target keywords:
mysql: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
mysql-community: (none, the package is ~arch only).
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-15 10:41:22 UTC
Arches please test and mark stable.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-07-15 16:47:35 UTC
alpha/ia64/x86 after a lot of time passing the tests
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-07-15 22:04:10 UTC
dercorny asked me about the 5.0.44-r1 version I have in the tree. It runs the identical tests that 5.0.44 does, just moving some more bits into the eclass. It should have the identical result as plain 5.0.44, so feel free to test either.
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-16 09:14:20 UTC
*** Bug 185506 has been marked as a duplicate of this bug. ***
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-07-16 19:36:05 UTC
5.0.44-r1 ppc64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-16 20:03:32 UTC
ppc stable
Comment 10 Jeroen Roovers gentoo-dev 2007-07-16 21:32:54 UTC
dev-db/mysql-5.0.44-r1 stable for HPPA.
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-17 12:57:17 UTC
sparc stable.
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2007-07-28 18:03:16 UTC
amd64 stable
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-28 18:36:51 UTC
time for glsa decision. I tend to vote yes because of the server crash.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-29 20:48:02 UTC
I vote YES.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-29 22:18:30 UTC
Same than the last MySQL security bug, i don't understand why we don't use mysqld_safe to automatically restart mysqld... voting GLSA, since the server is shut down...
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-16 22:05:24 UTC
GLSA 200708-10, sorry for the delay...