Re: MySQL 5.5 EOL before Debian 8 LTS ends

[Emilio Pozuelo Monfort]

Hi,

On 22/05/2018 07:10, Lars Tangvald wrote:
> 
> 
> On 05/21/2018 03:22 PM, Matus UHLAR - fantomas wrote:
 Am 22.01.2018 um 13:42 schrieb Lars Tangvald:
> First off, thanks for handling the 5.5.59 update for Wheezy. I had the
> security announcement date mixed up so picked it up too late, sorry.
>
> MySQL 5.5 is expected to be EOL in December (it was first released
> December 15, 2010, and we have 8 year security support), while Jessie
> LTS is until April 2020
> How are such cases handled? Will the source package be removed, or is it
> possible to have it upgraded to a more recent version?
>>
>>> On 22/01/18 16:35, Markus Koschany wrote:
 These are both possible options but given the significance of MySQL we
 would rather prefer to upgrade to a supported release provided this is
 viable for Jessie.
>>
> If an upgrade is possible, while we did a successful transition in
> Ubuntu from 5.5 to 5.7, there were significant changes from 5.6 to 5.7,
> requiring small changes to a lot of third-party packages as well as to
> the default server behavior, so 5.6 (which is supported until 2021)
> would be a better option.
>>
 I also think it makes sense to take a smaller step and upgrade from 5.5
 to 5.6. Are there any known issues with 5.6 or can you share any
 information about expected regressions with reverse-dependencies?
>>
>> On 19.05.18 20:41, Emilio Pozuelo Monfort wrote:
>>> jessie ships mysql-5.5 and mariadb-10.0. Given that stretch no longer ships
>>> mysql but only mariadb, we could just let mysql-5.5 go end of life, mark it 
>>> as
>>> unsupported (or drop the server part), and keep supporting mariadb-10.0. 
>>> Users
>>> will need to move to mariadb at some point anyway. The only problem is that
>>> mariadb-10.0 goes EOL on March 2019. mariadb-10.1 is EOL on October 2020, 
>>> so if
>>> we decided to provide that in jessie that would be enough.
>>
>> There are packages in jessie that depend on mysql (or libmysql), not on
>> mariadb.
>>
>> IMHO If it's possible to migrate to mysql-5.6 and later from mysql-5.6 to
>> stretch, it would be a better alternative than deprecate it.
>>
> If we can agree on this, I can work on updating the packaging (we did have 5.6
> in sid at one point, but would need to check that it didn't have any big 
> changes).
> 
> Otto: MariaDB 10.1 supports migration from MySQL 5.6, right? This would be
> important for users later upgrading to Stretch.

MySQL 5.5 should be EOL this month if nothing has changed, although I don't see
an announcement on [1] yet. Maybe it will be published next month when the next
CPU (critical patch update) is released. Norvald, do you know if 5.5 is
effectively EOL already? Or will it receive another update next month?

Also note that mariadb 10.0 is EOL in three months[2].

I don't think it makes much sense to upload mysql-5.6, since stretch has no
mysql at all. Since users will have to migrate to MariaDB anyway (or to
externally provided MySQL packages if they so choose), they can do so now.

For mariadb 10.0, we may be able to backport important security fixes, or we
could backport 10.1 which will be supported upstream until October 2020.

I would lean towards one of those last two options.

Cheers,
Emilio

[1] https://www.mysql.com/support/eol-notice.html
[2] https://mariadb.org/about/maintenance-policy/

Re: Possible patch-backport problem for libphp-phpmailer (DLA-1591-1)

[Emilio Pozuelo Monfort]

On 12/12/2018 04:56, Abhijith PA wrote:
> Hi.
> 
> On Tuesday 11 December 2018 12:59 PM, Chris Lamb wrote:
>> Hi Salvatore.
>>
>>> While preparing an update for libphp-phpmailer I noticed in the
>>> patch/diff for DLA-1591-1 for libphp-phpmailer the following:
>>
>> Thanks for flagging. I will try and take a look at this over the next
>> few days but I am pretty-solidly at a Reproducible Builds conference
>> so if someone can jump in, please do so.
> 
> I will look in to it.

I have added this to dla-needed.txt so that it doesn't get forgotten.

Cheers,
Emilio

Re: MySQL 5.5 EOL before Debian 8 LTS ends

[Norvald H. Ryeng]

On Mon, 17 Dec 2018 10:49:57 +0100
Emilio Pozuelo Monfort  wrote:

> MySQL 5.5 should be EOL this month if nothing has changed, although I
> don't see an announcement on [1] yet. Maybe it will be published next
> month when the next CPU (critical patch update) is released. Norvald,
> do you know if 5.5 is effectively EOL already? Or will it receive
> another update next month?

It will not. The plan is to stop on 5.5.62 (released in October).

Best regards,

Norvald

phpmyadmin / CVE-2016-5739.patch

[Brian May]

Ok, so as far as I can tell, looking at the version in wheezy, the
problem is that we load source files like so (there are two occurances
in the code that I can see, both very similar):

include_once $include_file;

Where include_file comes from:

$file = $mime_map[$meta->name]['transformation'];
$include_file = 'libraries/plugins/transformations/' . $file;

The problem being $mime_map is loaded from the database, and considered
untrusted, I think this is the source here:

PMA_getMIME($this->__get('db'), $this->__get('table'))

I don't fully understand this function yet, but I think it is safe to
say it generates filenames based on untrusted data from the database.

I am not sure what an attacker can do with include_once, but my guess is
that if you try to load a file that doesn't have a "https://docs.phpmyadmin.net/en/qa_4_2/transformations.html

I am wondering how important it is that we continue to support
transformations? I suspect not many users of phpmyadmin 4.2.12 would
actually use or want them... If so the easiest fix may be to remove
these lines.
-- 
Brian May 
https://linuxpenguins.xyz/brian/

Re: phpmyadmin / CVE-2018-19968

[Brian May]

Sorry, somehow stuffed up the subject line. Meant to reference
CVE-2018-19968.
-- 
Brian May