On 2013-04-07 19:26, Michael Gilbert wrote:
clone 675872 -1
reassign -1 src:mysql-5.5
There still isn't much to go on about this issue, but all sign point
to it still existing. Note that redhat's mysql packages use openssl
instead of yassl; altogether avoiding the uncertainties with yassl,
which seems not very supported security-wise. It may be wise to do
the same for the Debian packages.
What gave you the impression it is still existing? Oracle claims it was
resolved in 5.5.22 and 5.1.62. Ubuntu has also marked it as resolved.
This seems like an uninformed opinion. yaSSL is quite well supported
and this issue was addessed rather quickly. The yaSSL team responds
quite rapidly to open CVE's, and even the most recent one, CVE-2013-1623
[1] , is addressed in yaSSL (just not in an upstream release of MySQL
yet).
OpenSSL is not an option until OpenSSL has granted a license exception
for MySQL, something, AFAICT, they have not done. It is merely an
opinion of RedHat that they don't need one, but Debian has taken an
opposite position.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699886
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
