* Devin Carraway [Wed, 26 Nov 2008 00:46:38 -0800]: > I'd like to upload a security fix for mysql-dfsg-5.0 to t-p-u. The fix is for > CVE-2008-4098, which enables privilege esclation of authenticated mysql users > via symlink traversal. In the worst case, it allows an attacker to write to > tables in other databases. This was fixed in Etch with DSA-1662.
> The debdiff is here: > http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff > Why the RMs might want this upload: > - unstable is several upstream releases ahead of testing; the intermediate > upload swaps the inadequate patch applied in DTSA-150-1 for a better one, > with no other changes. > - the patch was already released to etch a month ago > - this will have to be fixed after release if it's not done now; the security > team is reviewing outstanding security issues in lenny to reduce the > workload post-release > Why you might _not_ want this upload: > - The package takes several hours to build on a modern Opteron, so it'll > be hard on the buildds for arm/mips/etc > - MySQL is a very widely used package, and this build has received less > testing than the one already in lenny. A new stable release with a broken > mysql would be a problem for many of our users and would negatively affect > Debian overall. Hello, Devin. If this patch was released in etch some time ago without troubles, I see no reason not to put it in Lenny. Thanks for taking care of this. P.S.: I'm not sure if you were coordinating with the maintainers on this, I've put Norbert on CC. -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org Don't be irreplaceable, if you can't be replaced, you can't be promoted. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]