Subject: Re: mysql security vulnerability question
To: Thomas Klausner <wiz@NetBSD.org>
From: Hisashi T Fujinaka <htodd@twofifty.com>
List: tech-pkg
Date: 09/17/2003 16:20:23
On Wed, 17 Sep 2003, Thomas Klausner wrote:

> On Tue, Sep 16, 2003 at 04:18:16PM -0700, Hisashi T Fujinaka wrote:
> > Should I be expecting an update of the package, or should I patch the
> > package myself (I didn't see a patch in the announcement I see night
> > after night), or should I just hope no one knows I'm running mysql?
> >
> > I'm just not sure what audit-packages does for me.
> >
> > If I were to receive a security annoucement, I'd know there were fixes
> > already in place. At this point I think I've seen a warning from
> > audit-packages three nights in a row with no cvs commits to
> > pkgsrc/databases.
>
> I added the entry, since I thought you would like to be informed
> about vulnerabilities, even if we do not currently provide a fix.
>
> After all, the vulnerability is already publicly known, so not
> adding it to the file doesn't buy us anything.
>
> I had hoped some mysql-interested developers would have committed
> the fix by now, but it seems it didn't happen -- I'll probably
> fix it tomorrow.

Aha. Well, that clears things up for me. I was impatiently waiting for
something to happen. I would have tried (once again) to figure out how
packaging works, but I saw what happened when Jeremy Reed tried to
package up pine. I know the theory that learning is good, but I haven't
found that to be the case lately.

I guess I'll have to bite the bullet and learn something. :)

> P.S. Feel free to provide an update for e.g. xfstt... current
> pkgsrc version is also vulnerable, but the program seems to
> interest noone enough :)

-- 
Hisashi T Fujinaka - htodd@twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte