Three Security fixes in upstream changelog, no CVEs yet: Security Fix: The server crashed for assignment of values of types other than Geometry to items of type GeometryCollection (MultiPoint, MultiCurve, MultiSurface). Now the server checks the field type and fails with bad geometry value if it detects incorrect parameters. (Bug#55531) Security Fix: EXPLAIN EXTENDED caused a server crash with some prepared statements. (Bug#54494) Security Fix: In prepared-statement mode, EXPLAIN for a SELECT from a derived table caused a server crash. (Bug#54488) 5.1.52 is already in the tree, but not stabilized yet.
Fun. I'm working on an 5.1.52-r1 for the hardened users still, and we can stabilize that.
I've added a depend on the bug tracking the TEXTRELs on x86.
(In reply to comment #1) > Fun. > I'm working on an 5.1.52-r1 for the hardened users still, and we can stabilize > that. > I see in bug 344031 that 5.1.52-r1 and 5.1.53 are working for hardened users. Can we stabilize one of these to get these security fixes? And if so, which one? Thank you.
No, not yet unfortunately. The TEXTREL fix broke the build on certain multilib setups.
underling: I intend to ask for this stable in 1 week.
@robbat2, shall we move forward with stabilization of 5.1.52-r1?
(In reply to comment #6) > @robbat2, shall we move forward with stabilization of 5.1.52-r1? The stablereq target is 5.1.56, nothing earlier.
(In reply to comment #7) > The stablereq target is 5.1.56, nothing earlier. Ok, great, thanks. For our future reference, 5.1.56 also includes this security fix (first fixed in 5.1.53): http://dev.mysql.com/doc/refman/5.1/en/news-5-1-53.html InnoDB Storage Engine: Security Fix: A failed CREATE TABLE statement for an InnoDB table could allocate memory that was never freed. (Bug #56947) Arches, please test and mark stable: =dev-db/mysql-5.1.56 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable. thanks
posted bug 366289 and bug 366291
(In reply to comment #10) > posted bug 366289 and bug 366291 anyway works for me.
To clarify: 1. As usual, the test instructions are included in the ebuild # Official test instructions: # USE='berkdb -cluster embedded extraengine perl ssl community' \ # FEATURES='test userpriv -usersandbox' \ # ebuild mysql-X.X.XX.ebuild \ # digest clean package 2. The warning about unused configure flags is a long-standing false positive from upstream's nested unrelated configure scripts. 3. The dodoc is fixed per bug #366289.
amd64 done
and64. used recommended use flags etc. Longest test suite so far. emerged ok. seems done
arm stable
Stable for HPPA.
ia64/ppc/ppc64 stable
alpha/s390/sh/sparc stable
Thanks, folks. GLSA Vote: Yes (with other MySQL bugs)
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201201-02 at http://security.gentoo.org/glsa/glsa-201201-02.xml by GLSA coordinator Tim Sammut (underling).