Re: Upload of mysql-dfsg-5.0 to t-p-u for CVE-2008-4098

[Adeodato Simó <dato@net.com.org.es>]

* Devin Carraway [Wed, 26 Nov 2008 00:46:38 -0800]:

> I'd like to upload a security fix for mysql-dfsg-5.0 to t-p-u.  The fix is for
> CVE-2008-4098, which enables privilege esclation of authenticated mysql users
> via symlink traversal.  In the worst case, it allows an attacker to write to
> tables in other databases.  This was fixed in Etch with DSA-1662.

> The debdiff is here:

> 	http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff

> Why the RMs might want this upload:

> - unstable is several upstream releases ahead of testing; the intermediate
>   upload swaps the inadequate patch applied in DTSA-150-1 for a better one,
>   with no other changes.
> - the patch was already released to etch a month ago
> - this will have to be fixed after release if it's not done now; the security
>   team is reviewing outstanding security issues in lenny to reduce the
>   workload post-release

> Why you might _not_ want this upload:

> - The package takes several hours to build on a modern Opteron, so it'll
>   be hard on the buildds for arm/mips/etc
> - MySQL is a very widely used package, and this build has received less
>   testing than the one already in lenny.  A new stable release with a broken
>   mysql would be a problem for many of our users and would negatively affect
>   Debian overall.

Hello, Devin. If this patch was released in etch some time ago without
troubles, I see no reason not to put it in Lenny.

Thanks for taking care of this.

P.S.: I'm not sure if you were coordinating with the maintainers on
this, I've put Norbert on CC.

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
Don't be irreplaceable, if you can't be replaced, you can't be promoted.