Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 271686 - <=dev-db/mysql-5.0.42 removal for GLSA 200809-04
Summary: <=dev-db/mysql-5.0.42 removal for GLSA 200809-04
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Linux MySQL bugs team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: glsa-removal
  Show dependency tree
 
Reported: 2009-05-29 13:31 UTC by Robert Buchholz (RETIRED)
Modified: 2009-07-29 15:24 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 13:31:09 UTC 
Please remove the following ebuilds as they are vulnerable to GLSA 200809-04
( http://www.gentoo.org/security/en/glsa/glsa-200809-04.xml ) :

=dev-db/mysql-4.1.22-r1
=dev-db/mysql-5.0.44-r1
=dev-db/mysql-5.0.44-r2
=dev-db/mysql-4.0.27-r1
=dev-db/mysql-5.0.26-r2
=dev-db/mysql-5.0.54
=dev-db/mysql-5.0.40
=dev-db/mysql-5.0.38
=dev-db/mysql-5.0.42


Note that other (unstable) atoms might be missing from this list that are
vulnerable to the same GLSA. Please remove those as well.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 13:32:43 UTC 
Note there is also GLSA 200804-04, GLSA 200711-25, GLSA 200711-25 and GLSA 200705-11 affecting some of these versions.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-05-29 18:59:52 UTC 
- I will NOT remove =dev-db/mysql-4.1.22-r1 as it exists for users that can't upgrade to a newer series for other reasons.
- I'm loath to remove other old versions as well, as they have been very useful in tracing where bugs were introduced by upstream. Removing the ebuilds means the patch tarballs are going to start to vanish off the mirrors, making it hard for users to just recover the ebuild for testing.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-30 19:06:06 UTC 
As you point out, it's benificial for users to have those old ebuilds around. Can we make it more apparant that they are not supported anymore then? That is, remove keywords or package mask them, stating that the packages should not be used in public/production environments?
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-05-30 19:17:45 UTC 
I'm fine with package.mask of the old ones.
Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-28 14:31:23 UTC 
# Jeremy Olexa <darkside@gentoo.org> (28 Jul 2009)
# On behalf of Robin H. Johnson <robbat2@gentoo.org>.
# These versions are vulnerable to GLSA's and should not be used. They will stay
# in the tree because they are useful to tracking down bugs. You have been
# warned.
<dev-db/mysql-5.0.60-r1

I went with 5.0.60-r1, because that is what the GLSA said even though it was different than this bug title. http://www.gentoo.org/security/en/glsa/glsa-200809-04.xml

This bug can be resolved after Robin takes a look as the maintainer.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-07-28 19:46:42 UTC 
The package.mask is fine, closing bug, not removing old packages.
Comment 7 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-29 15:24:55 UTC 
had to mask virtuals as well.

# Jeremy Olexa <darkside@gentoo.org> (28 Jul 2009)
# On behalf of Robin H. Johnson <robbat2@gentoo.org>.
# These versions are vulnerable to GLSA's and should not be used. They will stay
# in the tree because they are useful to tracking down bugs. You have been
# warned. bug 271686
<dev-db/mysql-5.0.60-r1
<virtual/mysql-5.