Subject: Re: mysql security vulnerability question
To: Hisashi T Fujinaka <htodd@twofifty.com>
From: Thomas Klausner <wiz@NetBSD.org>
List: tech-pkg
Date: 09/17/2003 22:48:45
On Tue, Sep 16, 2003 at 04:18:16PM -0700, Hisashi T Fujinaka wrote:
> Should I be expecting an update of the package, or should I patch the
> package myself (I didn't see a patch in the announcement I see night
> after night), or should I just hope no one knows I'm running mysql?
> 
> I'm just not sure what audit-packages does for me.
> 
> If I were to receive a security annoucement, I'd know there were fixes
> already in place. At this point I think I've seen a warning from
> audit-packages three nights in a row with no cvs commits to
> pkgsrc/databases.

I added the entry, since I thought you would like to be informed
about vulnerabilities, even if we do not currently provide a fix.

After all, the vulnerability is already publicly known, so not
adding it to the file doesn't buy us anything.

I had hoped some mysql-interested developers would have committed
the fix by now, but it seems it didn't happen -- I'll probably
fix it tomorrow.
 Thomas

P.S. Feel free to provide an update for e.g. xfstt... current
pkgsrc version is also vulnerable, but the program seems to
interest noone enough :)