List:Packagers« Previous MessageNext Message »
From:Lenz Grimmer Date:June 8 2006 12:00pm
Subject:Re: Status of MySQL 3.23/4.0 regarding 5.0.22 security bug?
View as plain text  
Hash: SHA1

Hi Christian,

sorry for the late reply.

On Thu, 1 Jun 2006, Christian Hammers wrote:

> Debian likes to provide security updates for our last two releases which
> shipped with MySQL 3.23.49 and 4.0.24. Can you commend upon their
> vulnerability and maybe even provide patches? The 4.1 and 5.0 diffs were
> almost the same but do not apply to 3.23 and 4.0 which, too, look very
> similar so maybe at least a patch for 4.0 would be enough for us.

Joerg has already sent out a clarification about this - versions prior to
4.1 should not be affected.

> Do you have a prove of concept exploit that we could use to verify that our
> security uploads really fix the problem?

AFAIK Tom Lane from Red Hat has sent you his proof of concept code, hasn't he?

> Has there already a CVE id assigned to this issue or did you contact anybody
> to do so? Else the Debian Security Team could register one.

To my knowledge we had not done this yet and I am not aware that anybody else
had. So yes, that would be appreciated. In the future, we should take care of
this on time!

- -- 
 Lenz Grimmer <lenz@stripped>
 Community Relations Manager, EMEA
 MySQL GmbH,, Hamburg, Germany
 Visit the MySQL Forge at
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see