Your message dated Sun, 3 Jul 2016 11:46:27 +0200
with message-id <[email protected]>
and subject line closing bugs reported against ancient mysql-5.1
has caused the Debian Bug report #627207,
regarding mysql-5.1: Embedded libraries (yassl + taocrypt)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
627207: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627207
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mysql-5.1
Version: 5.1.57-1
Severity: wishlist
While debugging the FTBFS on i386 I have found two embedded libraries
included in MySQL source code: yassl (extra/yassl) and taocrypt
(extra/yassl/taocrypt), both available from www.yassl.com as separate
libraries.
Since it is against the policy (although only 'should') and it's a
hell from security POV[1], it would be much better to package those two
libraries separately and link MySQL against separate packages if
possible (there could be some MySQL source changes which would
disallow to do so).
Other thing which hit me is that MySQL AB blatantly relicenced the
source code of both libraries, which might be violation of GPL. Or
there is some background agreement between the MySQL AB/Oracle and
Sawtooth Consulting Ltd. which is not visible from the source code.
Please note that this relicensing might raise the severity to RC, but
since the www.yassl.com lists the MySQL as a user of their libraries,
I guess they are ok with it.
1. Are you able to tell if any of those security advisories listed
here: http://secunia.com/advisories/product/6145/ apply to MySQL?
I am not even able to tell which version of yaSSL is bundled
with MySQL. It seems to me that it's 1.6.0 and it is vulnerable
to: http://aluigi.altervista.org/adv/yasslick-adv.txt
O.
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty'),
(100, 'natty-backports')
Architecture: i386 (i686)
Kernel: Linux 2.6.38-8-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
This bug has been reported against an ancient version of mysql (5.1),
that was last released with Debian 6.0 (squeeze). But even squeeze-lts
has now reached end-of-life and is no longer supported.
The bug is assumed to be fixed (or no longer relevant) in newer mysql
(or mariadb) releases and therefore I'm closing this report now. If the
problem is still reproducible in the currently supported versions
(mysql-5.6/mysql-5.7), feel free to provide more information, reopen
and reassign this bug report.
Andreas
--- End Message ---
