I'd like to upload a security fix for mysql-dfsg-5.0 to t-p-u. The fix is for CVE-2008-4098, which enables privilege esclation of authenticated mysql users via symlink traversal. In the worst case, it allows an attacker to write to tables in other databases. This was fixed in Etch with DSA-1662.
The debdiff is here:
http://devin.com/debian/security/mysql-dfsg-5.0_lenny.debdiff
Why the RMs might want this upload:
- unstable is several upstream releases ahead of testing; the intermediate
upload swaps the inadequate patch applied in DTSA-150-1 for a better one,
with no other changes.
- the patch was already released to etch a month ago
- this will have to be fixed after release if it's not done now; the security
team is reviewing outstanding security issues in lenny to reduce the
workload post-release
Why you might _not_ want this upload:
- The package takes several hours to build on a modern Opteron, so it'll
be hard on the buildds for arm/mips/etc
- MySQL is a very widely used package, and this build has received less
testing than the one already in lenny. A new stable release with a broken
mysql would be a problem for many of our users and would negatively affect
Debian overall.
--
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
signature.asc
Description: Digital signature
