[Maria-discuss] MySQL's future in Debian and Ubuntu

[Colin Charles]

Hi!

On 15 Feb 2012, at 00:49, Marc Deslauriers wrote:

> We are unable to determine what the recent MySQL security fixes are due
> to lack of details, and unclear commit messages.

Based on our analysis of commits and bugs, we believe the CPU (critical patch update) that Oracle released was actually for a lot of bugs that have already been fixed in past versions of MySQL. They just seemed to have decided to "bulk it up" and place it in one update. Of course Oracle has not come up with an official statement and don't seem to be interested to do so. What is clear is that these bugs are not "new", and were not found from October 2011 - January 2012. Of course we cannot be sure, but it would seem irresponsible of Oracle to state that the bugs referenced current community releases of MySQL (5.5.21, 5.1.61 - eg. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0492). In fact the current GA is 5.5.20, and that advisory is listed as "high" in the CPU

From a blog post by an Oracle employee that is now not online, the reference to fixed bugs were:
1. Bug #11759688
2. Bug #52020
3. Bug #13358468
4. Bug #54082
5. Bug #11761576
6. Bug #51252
7. Bug #11758979
8. Bug #48726
9. Bug #11756764
10. Bug #42784
11. Bug #11751793
12. Bug #45546
13. Bug #11754011
14. Bug #13427949
15. Bug #11745230
16. Bug #12133
17. Bug #13116225
18. Bug #11759688
19. Bug #13358468
20. Bug #63020
21. Bug #13344643

Sadly, even in his reference, there are lots of bugs that are only kept in a closed bug system that Oracle has (basically anything with more than 5 digits in the bug number reference the closed bug system)

--
Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles
MariaDB: Community developed. Feature enhanced. Backward compatible.
Download it at: http://www.mariadb.org/
Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/