Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
Op vrijdag 13 april 2012 19:35:15 schreef Thomas Backlund: > 13.04.2012 19:30, Maarten Vanraes skrev: [...] > > bye any chance do you have the CVE for the new one? i remember there was > > one in mariadb a few days ago, so i want to make sure this is the same > > one. > > Unfortunately no CVE yet... it only refers to a locked bug report: > > Security Fix: Bug #59533 was fixed. > > > > But as mariadb 5.5.23 is supposed to be based on mysql 5.5.23, it > should be fixed. I hate this... oracle is really fucking things up here...
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
13.04.2012 19:30, Maarten Vanraes skrev: > Op vrijdag 13 april 2012 18:19:14 schreef Thomas Backlund: > [...] >> I've started working on mysql-5.5.23 (as it contains another security >> fix), and will release it to updates_testing for Mageia 1 as soon as >> possible. > > bye any chance do you have the CVE for the new one? i remember there was one > in mariadb a few days ago, so i want to make sure this is the same one. > Unfortunately no CVE yet... it only refers to a locked bug report: Security Fix: Bug #59533 was fixed. But as mariadb 5.5.23 is supposed to be based on mysql 5.5.23, it should be fixed. -- Thomas
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
Op vrijdag 13 april 2012 18:19:14 schreef Thomas Backlund: [...] > I've started working on mysql-5.5.23 (as it contains another security > fix), and will release it to updates_testing for Mageia 1 as soon as > possible. bye any chance do you have the CVE for the new one? i remember there was one in mariadb a few days ago, so i want to make sure this is the same one.
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
13.04.2012 19:11, Maarten Vanraes skrev: > Op vrijdag 13 april 2012 13:12:08 schreef AL13N: > [] > > i guess most packagers want option 2 here. > > i don't think this is a good idea in general and i was of the opinion that > the > diff between migrating mysql 5.5.22 and mariadb 5.5.23 were quite the same... > > nonetheless, the package naming difference could have effects on it on a > stable > version, so i concede to this solution. > > however, i'll note that mariadb likely contains extra bugfixes, which this > mysql 5.5.22 will not have. > > i guess this is the step where this is more or less decided and some packager > steps in and does the actual work. any volunteers? perhaps that person can > also become maintainer of it? > I've started working on mysql-5.5.23 (as it contains another security fix), and will release it to updates_testing for Mageia 1 as soon as possible. -- Thomas
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
Op vrijdag 13 april 2012 13:12:08 schreef AL13N: [] i guess most packagers want option 2 here. i don't think this is a good idea in general and i was of the opinion that the diff between migrating mysql 5.5.22 and mariadb 5.5.23 were quite the same... nonetheless, the package naming difference could have effects on it on a stable version, so i concede to this solution. however, i'll note that mariadb likely contains extra bugfixes, which this mysql 5.5.22 will not have. i guess this is the step where this is more or less decided and some packager steps in and does the actual work. any volunteers? perhaps that person can also become maintainer of it?
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
On Fri, 13 Apr 2012, David Walser wrote: > AL13N writes: > > 5. someone has a better idea? > > > > considering the response i got, now i'll default to letting someone else > > handle it, which might mean it never gets fixed. that would also mean for > > me that mageia1 would be a bad version to get LTS on. > > The objections to this have been quite unwarranted. It sounds like some > people > want to institute a new policy that MySQL security bugs won't be fixed. That was objections against migrating from mysql to mariadb in a stable release updates. Stable updates are supposed to include minimal changes in packages in order to fix the issues. This means using patches to fix the issues and nothing else, if possible, or update to the version that fix the issues with the least unrelated changes when it's too difficult to have individual patchs for each issue. MySQL 5.5.22 is the last version available in 5.5.x branch, including various bugfix and other changes. And if I understand correctly, MariaDB 5.5.x is the same thing as MySQL 5.5.x, but with several new features, optimizations and other changes : http://kb.askmonty.org/en/what-is-mariadb-55 http://kb.askmonty.org/en/what-is-mariadb-53 I don't see any reason why we should update to mariadb instead of MySQL 5.5.22. It includes the same changes as mysql 5.5.10 -> 5.5.22, and adds several other changes that we don't want in a stable update.
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
'Twas brillig, and David Walser at 13/04/12 15:31 did gyre and gimble: > The objections to this have been quite unwarranted. It sounds like some > people > want to institute a new policy that MySQL security bugs won't be fixed. > Upgrading to newer versions of things isn't ideal, but sometimes it's what has > to be done, because there's no other way, and we already do it sometimes in > other cases. There's no reason this should be any more controversial. The proposal here was not just to ship a new version, but to ship a totally different fork -> mysql -> maridadb (it's even in the subject!). This is why there have been objections. It's not (primarily at least) to do with shipping a newer version. > For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than > what those other distros have done. MariaDB is as much a newer version of > what > we have now as MySQL 5.5.22 is. They are both derived from the same code > base. > Furthermore, the other distros have been able to upgrade it apparently without > even having to rebuild anything else, so the potential for damage seems to not > be so great after all. I disagree. It's a totally different package. There are also bugs relating to how a service package is enabled/disabled on upgrade which might lead to people having the service enabled when they have previously specifically disabled it. Should we then patch and upgrade rpm-helper too to deal with this issue? We've not even addressed it in Cauldron yet, but then I think it may be something that users could live with in a distro upgrade, but they certainly would not expect it from a security update. This idea just seems wrong for a stable update. Would we have shipped LO rather than OOo as an update? I don't think so. Would we have shipped Xorg rather than the old X as an update? I don't think so either. Why make a special exception for MariaDB? I would far rather ship a newer MySQL package than (to use a cliche) change horses in midstream[1] Col 1. http://www.phrases.org.uk/meanings/115400.html -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
13.04.2012 14:12, AL13N kirjoitti: > 2. do like other distros and fix to higher mysql 5.5.22 which fixes this > issue > ==> this is totally not preferred for me; > A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge > QA load > B) this also means that the mga1 -> mga2 upgrade will have to be > extensively retested This would be my preferred option. -- Anssi Hannula
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
AL13N writes: > 5. someone has a better idea? > > considering the response i got, now i'll default to letting someone else > handle it, which might mean it never gets fixed. that would also mean for > me that mageia1 would be a bad version to get LTS on. The objections to this have been quite unwarranted. It sounds like some people want to institute a new policy that MySQL security bugs won't be fixed. Upgrading to newer versions of things isn't ideal, but sometimes it's what has to be done, because there's no other way, and we already do it sometimes in other cases. There's no reason this should be any more controversial. In researching this, it appears that for the security bugs in MySQL (and there are many, at least one of which is remotely exploitable without authentication), only the Oracle MySQL developers really know what the vulnerabilities are and how they were fixed, and they're not telling. The most recent MySQL changelog that referenced security vulnerabilities had no details, and just mentioned two bug numbers. One of those bug numbers doesn't exist. The other is not publicly viewable. At this point, upgrading is the only solution to these security problems, and other distros have already realized this and updated to one of the newest releases. Here are some examples. RHEL6: https://rhn.redhat.com/errata/RHSA-2012-0105.html https://rhn.redhat.com/errata/RHSA-2011-0164.html Fedora 15: https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15 Fedora 16: https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16 Mandriva Enterprise Server 5, Mandriva 2011, Mandriva 2010.2: http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031 Mandriva 2010.0, Mandriva 2010.1: http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012 For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than what those other distros have done. MariaDB is as much a newer version of what we have now as MySQL 5.5.22 is. They are both derived from the same code base. Furthermore, the other distros have been able to upgrade it apparently without even having to rebuild anything else, so the potential for damage seems to not be so great after all. Finally, someone made a comment about our reputation in this thread. If we just ignore this and don't issue any security updates because it's "too hard" or "too scary," that will hurt our reputation more than anything else.
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
On Fri, Apr 13, 2012 at 12:12, AL13N wrote: > 1. find all the responsible patches and add them manually > ==> this is my preferred option, but seems not doable, and apparently > no-one steps in and mysql isn't maintained (officially) Not possible as most of the unfixed CVE on MySQL only say things like: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors. So there is no way to know what was fixed and when. > 2. do like other distros and fix to higher mysql 5.5.22 which fixes this > issue > ==> this is totally not preferred for me; > A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge QA > load This will happen anyway. Testing will be the same whatever the amount of changes is. > B) this also means that the mga1 -> mga2 upgrade will have to be > extensively retested At least there will be no package name change etc, so nothing really new regarding upgrade > 3. go to the cauldron version that fixes these issues which is mariadb-5.5.23 > ==> this is less preferred for me: > A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge > QA load And even more, as it implies testing that all packages from mga1 using mysql need to be tested (as more recent ones were tested in cauldron) > B) however the mga1 -> mga2 upgrade has been tested already, so the > chance of serious issues arising for this is alot less than normallY. But it will need to be tested completely again as now mga1 state would be very different from what it was > C) since mariadb-5.5.23 is based on mysql-5.5.23, the changes are quite > less than would normally be. > > 4. don't fix this security issue > ==> this is also less preferred for me, for obvious reasons. > > 5. someone has a better idea?
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
> Le 13/04/2012 12:45, Colin Guthrie a écrit : >> 'Twas brillig, and Maarten Vanraes at 13/04/12 07:28 did gyre and >> gimble: >>> after talking with mariadb people and some others, i'm proposing to >>> update >>> mysql 5.5.10 to mariadb-5.5.23 in mga1. >> >> I would be pretty strongly against this. >> >> I think it's fine we're using mariadb in mga2, but I really don't fancy >> making this switch on a stable distro. >> >> It just seems like a really, really bad idea. Not necessarily >> technically, but in pretty much all other aspects - you have to consider >> how this would be viewed as well - changing something like this for a >> stable distro puts a big question mark over future stability and updates >> etc. too. > Same for me. > > Basically, you're proposing to break the assumption than current policy > ensures end user than a package update from 'updates' repository for > package 'foo' is just a bugfix for 'foo' package. You may have perfectly > valid technical reasons, but you're *silently* changing the rule upon > which people may have established their own policies, which is a very, > very bad idea. tbh, iinm the rule is that we like to provide only bugfix/security fix patches, but there are exceptions when that isn't possible to update to the full versions fixing this issue. Well, initially i was against this, but the options to actually fix this security bug are quite limited: 1. find all the responsible patches and add them manually ==> this is my preferred option, but seems not doable, and apparently no-one steps in and mysql isn't maintained (officially) 2. do like other distros and fix to higher mysql 5.5.22 which fixes this issue ==> this is totally not preferred for me; A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge QA load B) this also means that the mga1 -> mga2 upgrade will have to be extensively retested 3. go to the cauldron version that fixes these issues which is mariadb-5.5.23 ==> this is less preferred for me: A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge QA load B) however the mga1 -> mga2 upgrade has been tested already, so the chance of serious issues arising for this is alot less than normallY. C) since mariadb-5.5.23 is based on mysql-5.5.23, the changes are quite less than would normally be. 4. don't fix this security issue ==> this is also less preferred for me, for obvious reasons. 5. someone has a better idea? considering the response i got, now i'll default to letting someone else handle it, which might mean it never gets fixed. that would also mean for me that mageia1 would be a bad version to get LTS on. I'm open to suggestions... PS: as some people might think it's just a stupid political reason, but it's not. my reasons are detailed above.
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
Le 13/04/2012 12:45, Colin Guthrie a écrit : 'Twas brillig, and Maarten Vanraes at 13/04/12 07:28 did gyre and gimble: after talking with mariadb people and some others, i'm proposing to update mysql 5.5.10 to mariadb-5.5.23 in mga1. I would be pretty strongly against this. I think it's fine we're using mariadb in mga2, but I really don't fancy making this switch on a stable distro. It just seems like a really, really bad idea. Not necessarily technically, but in pretty much all other aspects - you have to consider how this would be viewed as well - changing something like this for a stable distro puts a big question mark over future stability and updates etc. too. Same for me. Basically, you're proposing to break the assumption than current policy ensures end user than a package update from 'updates' repository for package 'foo' is just a bugfix for 'foo' package. You may have perfectly valid technical reasons, but you're *silently* changing the rule upon which people may have established their own policies, which is a very, very bad idea. -- BOFH excuse #274: It was OK before you touched it.
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
'Twas brillig, and Maarten Vanraes at 13/04/12 07:28 did gyre and gimble: > after talking with mariadb people and some others, i'm proposing to update > mysql 5.5.10 to mariadb-5.5.23 in mga1. I would be pretty strongly against this. I think it's fine we're using mariadb in mga2, but I really don't fancy making this switch on a stable distro. It just seems like a really, really bad idea. Not necessarily technically, but in pretty much all other aspects - you have to consider how this would be viewed as well - changing something like this for a stable distro puts a big question mark over future stability and updates etc. too. If you are not able to work on the CVE issue for mga1 because you're unable to test properly a mysql fix, then please let someone else do it. I'm sure we all understand why you'd rather push mariadb and why you maybe wouldn't want to work on mysql. That's fine, we won't hold it against you :D Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
Maarten Vanraes skrev 13.4.2012 09:28: regarding bug https://bugs.mageia.org/show_bug.cgi?id=5260 after talking with mariadb people and some others, i'm proposing to update mysql 5.5.10 to mariadb-5.5.23 in mga1. Are you serious ?? however, QA should extra-double-test the php-mysql dependency, as mariadb noted that php-mysql seems to have a very strict versioning scheme sometimes and having a new mysql provider without rebuilding php-mysql often fails... You do realize that QA would have to test _way_ more than that... It would pretty much mean doing a full QA on mga1 release $ urpmq --whatrequires lib64mysql18 |sort -u amarok bacula-dir-mysql bind cherokee courier-authlib-devel cyrus-imapd cyrus-imapd-murder cyrus-imapd-nntp cyrus-imapd-utils dovecot-plugins-mysql gda2.0-mysql gnokii-smsd-mysql grass kexi lib64gammu7 lib64gdal1 lib64mnogosearch3.2 lib64mysql18 lib64mysqlcppconn6 lib64mysql-devel lib64qt3-mysql lib64redland-devel lib64sasl2-plug-sql libgda4.0-mysql lighttpd-mod_mysql_vhost lua-sql-mysql motion mysql-client mythtv-plugin-zoneminder nagios-check_mysql nagios-check_mysql_query net-snmp-trapd ntop pdns-backend-mysql perl-DBD-mysql php-mysql php-mysqli php-pdo_mysql postfix-mysql preludedb-mysql proftpd-mod_sql_mysql pure-ftpd python-mysql qt4-database-plugin-mysql rsyslog-mysql ruby-mysql stardict-tools xbmc And then all indirect deps need to be verified. -- Thomas
[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
regarding bug https://bugs.mageia.org/show_bug.cgi?id=5260 after talking with mariadb people and some others, i'm proposing to update mysql 5.5.10 to mariadb-5.5.23 in mga1. however, QA should extra-double-test the php-mysql dependency, as mariadb noted that php-mysql seems to have a very strict versioning scheme sometimes and having a new mysql provider without rebuilding php-mysql often fails... in case of no objections, i'll go ahead with this.