From $URL, Discussion: DBD::mysql module for Perl is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to bypass certain security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. Solution: Updates are available. Please see the references or vendor advisory for more information. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789
Fedora has applied the following commit to their package to address this vulnerability: https://src.fedoraproject.org/cgit/rpms/perl-DBD-MySQL.git/commit/?h=f27&id=f9abbc81ab5fd9d8160218d12cd3a20770a90aec
Upstream have just released version 4.044, however, reading the diff doesn't make it 100% clear whether this version is expected to address this CVE. Can sec team comment? https://metacpan.org/diff/file?target=CAPTTOFU/DBD-mysql-4.044/&source=MICHIELB%2FDBD-mysql-4.043
The change log mentions CVE-2017-10789 and it is referring to http://seclists.org/oss-sec/2018/q1/41 so yes, this release should address CVE-2017-10789.
Ugh. Working on bumping it, but I've hit a snag where a new test doesn't pass with the MariaDB instance I'm using. But I can't work out why or what the solution is, because chasing the rabbit ends up far deeper than I can mentally handle. So I'll ship 4.044 with known-failing tests in the name of timeliness and file bugs for the stuff I can't fix. However, the issue present is zero-fill related... which may indicate broken functionality with amvis: t/rt118977-zerofill.t ................... 1/8 # Failed test at t/rt118977-zerofill.t line 22. # got: '1' # expected: '00001' # Looks like you failed 1 test of 8. t/rt118977-zerofill.t ................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/8 subtests
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d845674dece9cded838f4184eeeaf33fea0a0ae commit 0d845674dece9cded838f4184eeeaf33fea0a0ae Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2018-01-24 04:33:33 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2018-01-24 04:40:44 +0000 dev-perl/DBD-mysql: Bump to version 4.44.0 - Remove embedded support - https://bugs.gentoo.org/644174 - https://bugs.gentoo.org/598048 - removal from older versions may happen later Upstream: - Fix for CVE-2017-10788 ( https://bugs.gentoo.org/623632 ) - Fix for CVE-2017-10789 ( https://bugs.gentoo.org/623942 ) - Enforce SSL settings for BACKRONYM and Riddle - Fix parsing of mysql_config --libs output in Configure - Return INTs with ZEROFILL as strings - Some fixes for 5.26-dot-in-inc Bug: https://bugs.gentoo.org/598048 Bug: https://bugs.gentoo.org/623632 Bug: https://bugs.gentoo.org/623942 Bug: https://bugs.gentoo.org/644174 Package-Manager: Portage-2.3.18, Repoman-2.3.6 dev-perl/DBD-mysql/DBD-mysql-4.44.0.ebuild | 64 +++++++++ dev-perl/DBD-mysql/Manifest | 1 + .../DBD-mysql-4.044-amvis-type-conversions.patch | 56 ++++++++ .../files/DBD-mysql-4.044-no-dot-inc.patch | 151 +++++++++++++++++++++ 4 files changed, 272 insertions(+)}
@maintainer(s), please let us know when ready for stable or call for it when ready.
@arches, please stabilize.
ppc64 stable
ppc stable
ia64 stable
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1368d6ae9995a7436b3c8705880cb32c01fa6274 commit 1368d6ae9995a7436b3c8705880cb32c01fa6274 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-30 12:35:04 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-30 12:35:44 +0000 dev-perl/DBD-mysql: amd64 stable Bug: https://bugs.gentoo.org/623942 Package-Manager: Portage-2.3.26, Repoman-2.3.7 dev-perl/DBD-mysql/DBD-mysql-4.44.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Stable on alpha.
arm stable
hppa is now in exp and no longer security supported. @maintainer(s), please clean.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1047d0842af2ab8efe0dd35341508647dea17d22 commit 1047d0842af2ab8efe0dd35341508647dea17d22 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2018-05-27 07:19:19 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2018-05-27 07:24:08 +0000 profiles: package.mask <dev-perl/DBD-mysql-4.44.0 re bug #623942 Package masking older versions due to CVE-2017-10789, retained only for people who desperately need older compat versions. ( DBD-mysql upstream have a recent track record of terrible compatibility between minor versions ) Bug: https://bugs.gentoo.org/623942 profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+)
We need to do this for hppa and sparc for bug 630898.
... and done
