CVE-2009-2446 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446): Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information.
mysql: we already have 5.0.83 in tree, would it be ok to stable? The exploit did not work for us, so there seems no need no hurry.
mysql: *ping*
+1, but beware that it no longer compiles with <gcc-4. This a show-stopper for hardened.
mysql: what is your planned timeline on this?
I answered you already that you could stable it once hardened has a stable GCC4.
I somehow misinterpreted your answer, sorry. Adding bug nr as dependency.
stabling is done currently happening in bug 290485.
stabling moved to sec bug 303747
(In reply to comment #8) > stabling moved to sec bug 303747 All security-supported arches have done the stabilization from bug #303747. Should we make the decision about GLSA?
B2 needs a GLSA, there is nothing to decide.
This issue was resolved and addressed in GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml by GLSA coordinator Tim Sammut (underling).