mariadb-5.5.25-2.4.mga2 has been submitted
mysql-5.5.23-1.3.mga1 also (backported patch)
i would ask to validate & release, but to hold off posting the (admittedly short and vague) SA to the public maillist.
This fixes (at the time of writing undisclosed) CVE-2012-5579. More information will become available at https://mariadb.atlassian.net/browse/MDEV-3884 .
Testing complete on Mageia 2 i586 and x86-64.
Just testing that a database and a table can be added using phpmyadmin.
Will test Mageia 1 once the mirror has synced.
Testing complete on Mageia 1 i586 and x86-64.
Could someone from the sysadmin team push the srpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
from Mageia 1 Core Updates Testing to Core Updates.
Advisory: This fixes (at the time of writing undisclosed) CVE-2012-5579.
More information will become available at
Update pushed, advisory postponed, MGASA-2012-0349 reserved.
New Security Advisory (can be announced):
This fixes CVE-2012-5611 (originally CVE-2012-5579).
More information is available at
MySQL bug 13889741 (CVE-2012-3163) was, apparently, not completely fixed. A similar test case finds a new and more dangerous buffer overflow.
To exploit this one needs a valid low-privileged user account in the MariaDB (or MySQL) server.
Debian has issued an advisory for this today (December 4):
Therefore, it's also hit LWN, of course.
Thomas, could you issue the advisory for this update now please.
See comment 4 on.
guys, i'm sure he'll get to it when he has the time... it's not superimportant...
It is normal for us to ask sysadmin to push things etc AL13N. The bug is assigned to qa-bugs so sysadmin (Thomas) will be looking for comments from QA.
Nobody is demanding immediate attention, I think you are reading it wrong.
i guess you're right.
allthough it looks to me that it's been said now 3 times in various direct/indirect ways and he was in CC for all of them...
it looked like overkill to me.
but then, i guess this is also communication and it's issues...
So in the update we issued for Mageia 1 for this (the last update before EOL), the patch to fix this wasn't actually applied!
I have fixed that in SVN, but unfortunately, the patch doesn't fully apply successfully, as the last hunk fails.
I have also added the patch in Mageia 1 SVN for CVE-2012-5612 which we recently fixed in Mageia 2. That patch applies just fine.
I know Mageia 1 has reached EOL, but since we actually issued a false advisory claiming we fixed this, shouldn't we do something about it?
WDYM it wasn't applied? didn't i apply it back in november?
and, what could we do? we can't issue updates for something that's been EOL and closed...
i notice in revision 323176:
fix CVE-2012-5579 ...
i don't see the problem here...
ah, nvm, i see the problem now...
mysql doesn't have %apply_patches like mariadb does... so it never got fixed... :-(
Created attachment 3464 [details]
Created attachment 3465 [details]
This is fixed now in SVN. AL13N fixed the patch.
Thomas, should we at least do something to inform people that this wasn't fixed for MySQL in the update at the end of November?
(In reply to comment #14)
> ah, nvm, i see the problem now...
> mysql doesn't have %apply_patches like mariadb does... so it never got fixed...
Assumptions are bad when doing security updates...
(In reply to comment #17)
> This is fixed now in SVN. AL13N fixed the patch.
> Thomas, should we at least do something to inform people that this wasn't fixed
> for MySQL in the update at the end of November?
I dont think it's needed... we are ~2 months since we dropped mga1 support, so even if they got that fix, mysql is still vulnerable to other problems now, so they either need to build updates by themselves or switch to a supported mga2