--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: mysql-5.1: Embedded libraries (yassl + taocrypt)
- From: Ondřej Surý <ondrej@debian.org>
- Date: Wed, 18 May 2011 18:37:10 +0200
- Message-id: <20110518163710.30928.82241.reportbug@localhost6>
Package: mysql-5.1
Version: 5.1.57-1
Severity: wishlist
While debugging the FTBFS on i386 I have found two embedded libraries
included in MySQL source code: yassl (extra/yassl) and taocrypt
(extra/yassl/taocrypt), both available from www.yassl.com as separate
libraries.
Since it is against the policy (although only 'should') and it's a
hell from security POV[1], it would be much better to package those two
libraries separately and link MySQL against separate packages if
possible (there could be some MySQL source changes which would
disallow to do so).
Other thing which hit me is that MySQL AB blatantly relicenced the
source code of both libraries, which might be violation of GPL. Or
there is some background agreement between the MySQL AB/Oracle and
Sawtooth Consulting Ltd. which is not visible from the source code.
Please note that this relicensing might raise the severity to RC, but
since the www.yassl.com lists the MySQL as a user of their libraries,
I guess they are ok with it.
1. Are you able to tell if any of those security advisories listed
here: http://secunia.com/advisories/product/6145/ apply to MySQL?
I am not even able to tell which version of yaSSL is bundled
with MySQL. It seems to me that it's 1.6.0 and it is vulnerable
to: http://aluigi.altervista.org/adv/yasslick-adv.txt
O.
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty'), (100, 'natty-backports')
Architecture: i386 (i686)
Kernel: Linux 2.6.38-8-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---