-
mysql-dfsg-5.0 (5.0.96-0ubuntu3) hardy-security; urgency=low
* SECURITY UPDATE: authentication bypass (LP: #1011371)
- debian/patches/90_CVE-2012-2122.patch: fix improper type conversion
in sql/password.c.
- CVE-2012-2122
* debian/mysql-server.preinst: Removed to prevent service from remaining
stopped after getting updated. The upgrade logic is still present in
mysql-common.preinst. (LP: #988325)
-- Marc Deslauriers <email address hidden> Mon, 11 Jun 2012 09:04:56 -0400
-
mysql-dfsg-5.0 (5.0.96-0ubuntu1) hardy-security; urgency=low
* SECURITY UPDATE: Update to 5.0.96 to fix security issues (LP: #965523)
- http://dev.mysql.com/doc/refman/5.0/en/news-5-0-96.html
-- Marc Deslauriers <email address hidden> Wed, 28 Mar 2012 09:25:59 -0400
-
mysql-dfsg-5.0 (5.0.95-0ubuntu1) hardy-security; urgency=low
* SECURITY UPDATE: Update to 5.0.95 to fix multiple security issues
(LP: #937869)
- http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
- CVE-2012-0075
- CVE-2012-0087
- CVE-2012-0101
- CVE-2012-0102
- CVE-2012-0114
- CVE-2012-0484
- CVE-2012-0490
* Dropped patches unnecessary with 5.0.95:
- debian/patches/91_SECURITY_CVE-2007-5925.dpatch
- debian/patches/95_SECURITY_CVE-2008-3963.dpatch
- debian/patches/96_SECURITY_CVE-2008-4098.dpatch
- debian/patches/97_CVE-2008-4456.dpatch
- debian/patches/97_CVE-2009-2446.dpatch
- debian/patches/97_CVE-2009-4019.dpatch
- debian/patches/97_CVE-2009-4030.dpatch
- debian/patches/98_CVE-2009-4484.dpatch
- debian/patches/99_ssl_test_certs.dpatch
- debian/patches/100_CVE-2010-1850.dpatch
- debian/patches/101_CVE-2010-1849.dpatch
- debian/patches/102_CVE-2010-1848.dpatch
- debian/patches/103_CVE-2010-1626.dpatch
- debian/patches/98_CVE-2010-3677.dpatch
- debian/patches/98_CVE-2010-3680.dpatch
- debian/patches/98_CVE-2010-3681.dpatch
- debian/patches/98_CVE-2010-3682.dpatch
- debian/patches/98_CVE-2010-3833.dpatch
- debian/patches/98_CVE-2010-3834.dpatch
- debian/patches/98_CVE-2010-3835.dpatch
- debian/patches/98_CVE-2010-3836.dpatch
- debian/patches/98_CVE-2010-3837.dpatch
- debian/patches/98_CVE-2010-3838.dpatch
- debian/patches/98_CVE-2010-3840.dpatch
- debian/patches/45_warn-CLI-passwords.dpatch
- debian/patches/50_fix_mysqldump.dpatch
- debian/patches/51_incorrect-order.dpatch
- debian/patches/52_ndb-gcc-4.2.dpatch
- debian/patches/53_integer-gcc-4.2.dpatch
- debian/patches/54_ssl-client-support.dpatch
- debian/patches/55_testsuite-2008.dpatch
- debian/patches/58-disable-ndb-backup-print.dpatch
- debian/patches/59-fix-mysql-replication-logs.dpatch
- debian/patches/86_PATH_MAX.dpatch
- debian/patches/90_upstreamdebiandir.dpatch
- debian/patches/92_fix_order_by32202.dpatch
- debian/patches/93_fix_user_setup_on_localhost.dpatch
- debian/patches/94_fix_mysqldump_with_old_versions.dpatch
- debian/patches/56-mysqlhotcopy-invalid-dbtable.dpatch
- debian/patches/57-fix-mysqlslowdump-config.dpatch
* debian/mysql-client-5.0.docs, debian/mysql-server-5.0.docs: removed
EXCEPTIONS-CLIENT file
* debian/libmysqlclient15-dev.docs, debian/libmysqlclient15off.docs:
removed, no longer necessary.
* debian/patches/25_mysys__default.c.dpatch: updated for 5.0.95.
* debian/mysql-server-5.0.files: change ndb_mgmd and ndbd manpage
locations. Removed mysqlmanagerc.1 and mysqlmanager-pwgen.1
-- Marc Deslauriers <email address hidden> Thu, 23 Feb 2012 11:21:11 -0500
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.8) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via joins involving a table with a
unique SET column
- debian/patches/98_CVE-2010-3677.dpatch: improve logic in
sql/item_cmpfunc.cc. Add tests to mysql-test/*.
- CVE-2010-3677
* SECURITY UPDATE: denial of service via TEMPORARY InnoDB tables with
nullable columns
- debian/patches/98_CVE-2010-3680.dpatch: check for null datatype in
sql/ha_innodb.cc. Add tests to mysql-test/*.
- CVE-2010-3680
* SECURITY UPDATE: denial of service via alternate reads from two indexes
on a table using the HANDLER interface
- debian/patches/98_CVE-2010-3681.dpatch: check for the same index in
sql/sql_handler.cc. Add tests to mysql-test/*.
- CVE-2010-3681
* SECURITY UPDATE: denial of service via use of EXPLAIN with certain
queries
- debian/patches/98_CVE-2010-3682.dpatch: improve conditional in
sql/sql_select.cc. Add tests to mysql-test/*.
- CVE-2010-3682
* SECURITY UPDATE: denial of service via incorrect propagation of type
errors.
- debian/patches/98_CVE-2010-3833.dpatch: properly check for execution
errors in sql/item_func.cc. Add tests to mysql-test/*.
- CVE-2010-3833
* SECURITY UPDATE: denial of service via derived table materializing.
- debian/patches/98_CVE-2010-3834.dpatch: handle temporary tables in
sql/field.cc, sql/sql_select.*. Add tests to mysql-test/*.
- CVE-2010-3834
* SECURITY UPDATE: denial of service via user-variable assignment
expression.
- debian/patches/98_CVE-2010-3835.dpatch: fix logic in sql/item_func.*,
Add tests to mysql-test/*.
- CVE-2010-3835
* SECURITY UPDATE: denial of service via pre-evaluation of LIKE
predicates during view preparation.
- debian/patches/98_CVE-2010-3836.dpatch: make sure we're not in view
preparation mode in sql/item_cmpfunc.cc. Add tests to mysql-test/*.
- CVE-2010-3836
* SECURITY UPDATE: denial of service via use of GROUP_CONCAT() and
WITH ROLLUP together.
- debian/patches/98_CVE-2010-3837.dpatch: create a copy of the order
structures in sql/item_sum.cc, sql/table.h. Add tests to
mysql-test/*.
- CVE-2010-3837
* SECURITY UPDATE: denial of service via longblob and union or update
with subquery.
- debian/patches/98_CVE-2010-3838.dpatch: handle REAL_RESULT in
sql/item_func.cc. Add tests to mysql-test/*.
- CVE-2010-3838
* SECURITY UPDATE: denial of service via PolyFromWKB() function and
improper data.
- debian/patches/98_CVE-2010-3840.dpatch: improve data handling in
sql/spatial.cc. Add tests to mysql-test/*.
- CVE-2010-3840
-- Marc Deslauriers <email address hidden> Tue, 09 Nov 2010 11:49:24 -0500
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.7) hardy-security; urgency=low
* SECURITY UPDATE: privilege check bypass via crafted table name argument
to COM_FIELD_LIST
- debian/patches/102_CVE-2010-1848.dpatch: check table name in
sql/sql_parse.cc, Add tests to tests/mysql_client_test.c.
- CVE-2010-1848
* SECURITY UPDATE: denial of service via large packets
- debian/patches/101_CVE-2010-1849.dpatch: handle big packets in
sql/sql_parse.cc, include/mysql_com.h, sql/net_serv.cc.
- CVE-2010-1849
* SECURITY UPDATE: arbitrary code execution via crafted table name
argument to COM_FIELD_LIST
- debian/patches/100_CVE-2010-1850.dpatch: check table name length in
sql/sql_parse.cc.
- CVE-2010-1850
* SECURITY UPDATE: DROP TABLE privilege bypass via symlink attack
- debian/patches/103_CVE-2010-1626.dpatch: check for symlinks in
myisam/mi_delete_table.c.
- CVE-2010-1626
-- Marc Deslauriers <email address hidden> Mon, 07 Jun 2010 09:01:22 -0400
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.5) hardy-security; urgency=low
* SECURITY UPDATE: Cross-site scripting in the command-line client
- debian/patches/97_CVE-2008-4456.dpatch: use xmlencode_print in
client/mysql.cc, add test to mysql-test/*.
- CVE-2008-4456
* SECURITY UPDATE: format string vulnerabilities in the dispatch_command
function
- debian/patches/97_CVE-2009-2446.dpatch: use correct format string in
sql/sql_parse.cc, add test to tests/mysql_client_test.c.
- CVE-2009-2446
* SECURITY UPDATE: denial of service via certain SELECT statements with
subqueries and statements that use the GeomFromWKB function
- debian/patches/97_CVE-2009-4019.dpatch: return proper errors in
sql/sql_class.cc, handle errors in sql/sql_select.cc, set correct
null_value in sql/item_geofunc.cc, add tests to mysql-test/*.
- CVE-2009-4019
* SECURITY UPDATE: privilege restriction bypass via incorrect calculation
of the mysql_unpacked_real_data_home value
- debian/patches/97_CVE-2009-4030.dpatch: fix initialization order in
sql/mysqld.cc.
- CVE-2009-4030
* SECURITY UPDATE: arbitrary code execution via yassl stack overflow
- debian/patches/98_CVE-2009-4484.dpatch: validate lengths in
extra/yassl/taocrypt/src/asn.*.
- CVE-2009-4484
* debian/patches/99_ssl_test_certs.dpatch: update certificates in the
test suite as they are expired. The new certs expire 2015-01-28.
(LP: #323755)
-- Marc Deslauriers <email address hidden> Mon, 08 Feb 2010 09:01:56 -0500
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.4) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via an empty bit-string literal (b'')
- debian/patches/95_SECURITY_CVE-2008-3963.dpatch: fix Item_bin_string::
Item_bin_string() in sql/item.cc to parse an empty bit-string literal
as an empty string.
- CVE-2008-3963
* SECURITY UPDATE: privilege circumvention via the creation of MyISAM
tables using the DATA DIRECTORY and INDEX DIRECTORY options to overwrite
existing table files in the data directory. This update is a complete
fix for the three CVE numbers listed below. This fix alters table creation
behaviour by disallowing the use of the MySQL data directory in DATA
DIRECTORY and INDEX DIRECTORY options. (LP: #254129)
- debian/patches/96_SECURITY_CVE-2008-4098.dpatch: Disallow use of MySQL
data directory in DATA DIRECTORY and INDEX DIRECTORY options.
- CVE-2008-2079
- CVE-2008-4097
- CVE-2008-4098
* debian/rules: do not update po tree for security updates.
-- Marc Deslauriers <email address hidden> Thu, 13 Nov 2008 14:56:05 -0500
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.3) hardy-proposed; urgency=low
* debian/patches/94_fix_mysqldump_with_old_versions.dpatch: Fixes mysqldump
when dumping a database from mysql 4.1. (LP: #267696)
-- Chuck Short <email address hidden> Wed, 10 Sep 2008 12:34:24 +0000
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.2) hardy-proposed; urgency=low
* Add a Conflicts/Replaces on mysql-client-4.1 and mysql-server-4.1,
to ensure smooth upgrades for users of Ubuntu 6.06 that may still
have these universe packages installed. LP: #208695.
-- Steve Langasek <email address hidden> Wed, 09 Jul 2008 23:53:26 +0000
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5.1) hardy-proposed; urgency=low
* debian/patches/93_fix_user_setup_on_localhost.dpatch
- Fix setup of user table, if hostname is "localhost". Thanks
to Daniel Hahler (LP: #223836)
* debian/patches/56-mysqlhotcopy-invalid-dbtable.dpatch
- Update patch to address mysqlhotcopy issues. (LP: #197606)
-- Chuck Short <email address hidden> Tue, 29 Apr 2008 15:09:33 -0400
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu5) hardy; urgency=low
* debian/patches/59-fix-mysql-replication-logs.dpatch:
Fix mysql replication: relay-logs were stored in /var/run. (LP: #119271).
Patch taken from 5.0.54.
* debian/patches/58-disable-ndb-backup-print.dpatch:
update description of ndb_backup_print patch.
-- Mathias Gug <email address hidden> Thu, 27 Mar 2008 19:02:38 -0400
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu4) hardy; urgency=low
* Disable ndb_backup_print tests as it fails sometimes (LP: #194542).
Patch taken from 5.0.54.
-- Mathias Gug <email address hidden> Wed, 26 Mar 2008 19:08:32 -0400
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu3) hardy; urgency=low
[ Nicolas Valcárcel ]
* Confirming password on install if given (LP: #162167)
[ Jamie Strandboge ]
* follow ApparmorProfileMigration and force apparmor complain mode on some
upgrades (LP: #203531)
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
- debian/mysql-server-5.0.dirs: add etc/apparmor.d/force-complain
- debian/mysql-server-5.0.preinst: create symlink for force-complain/
on pre-feisty upgrades, upgrades where apparmor-profiles profile is
unchanged (ie non-enforcing) and upgrades where the profile doesn't
exist
- debian/mysql-server-5.0.postrm: remove symlink in force-complain/ on
purge
* debian/additions/my.cnf: add warning about apparmor (LP: #201799)
-- Mathias Gug <email address hidden> Tue, 25 Mar 2008 17:05:22 -0400
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu2) hardy; urgency=low
* debian/patches/92_fix_order_by32202.dpatch: fix for ORDER BY not working
with GROUP BY (LP: #202706)
* References:
http://bugs.mysql.com/bug.php?id=32202
-- Jamie Strandboge <email address hidden> Mon, 17 Mar 2008 07:35:15 -0400
-
mysql-dfsg-5.0 (5.0.51a-3ubuntu1) hardy; urgency=low
* Merge from debian unstable, remaining changes:
- debian/control:
- Set Maintainer to Ubuntu Core dev. Move Debian maintainer
to XSBC-Original-Maintainer.
- Add mysql-doc-5.0 as a Suggests to mysql-client-5.0, mysql-server-5.0
and libmysqlclient15-dev.
- Preprend XS-Original- to Vcs-{Browser,Svn}.
- Fix man page conflicts with mysql-doc-5.0 when upgrading from gutsy
for mysql-server-5.0, mysql-client-5.0 and libmysqlclient15-dev
packages.
- Replaces and Conflicts apparmor-profiles << 2.1+1075-0ubuntu4 to allow
proper upgrade from gutsy.
- debian/rules:
- Apply same configuration options on lpia as for i386.
- Replace --with-comment="Debian" with --with-comment="Ubuntu".
- debian/additions/my.cnf:
Add note about the "/etc/mysql/conf.d" directory in my.cnf.
- debian/patches/56-mysqlhotcopy-invalid-dbtable.dpatch:
Fixed mysqlhotcopy failure.
- debian/patches/57-fix-mysqlslowdump-config.dpatch:
Fixed mysqlslowdump usage.
- debian/apparmor-profile, debian/mysql-server-5.0.files: add AppArmor
profile.
- debian/mysql-server-5.0.postinst: Reload AA profile on configuration.
- debian/mysql-server-5.0.README.Debian: add a note on AppArmor.
mysql-dfsg-5.0 (5.0.51a-3) unstable; urgency=low
* Disable patch 60_raise-max-keylength.dpatch in default build, but still
ship it in the source package.
mysql-dfsg-5.0 (5.0.51a-2) unstable; urgency=low
* Replace 54_ssl-client-support.dpatch added in 5.0.51-2 with patch from
upstream.
* Ignore errors in testsuite on powerpc.
-- Mathias Gug <email address hidden> Mon, 03 Mar 2008 19:43:09 -0500
-
mysql-dfsg-5.0 (5.0.51a-1ubuntu1) hardy; urgency=low
[ Mathias Gug ]
* Merge from debian unstable, remaining changes:
- debian/control:
- Set Maintainer to Ubuntu Core dev. Move Debian maintainer
to XSBC-Original-Maintainer.
- Add mysql-doc-5.0 as a Suggests to mysql-client-5.0, mysql-server-5.0
and libmysqlclient15-dev.
- Preprend XS-Original- to Vcs-{Browser,Svn}.
- Fix man page conflicts with mysql-doc-5.0 when upgrading from gutsy
for mysql-server-5.0, mysql-client-5.0 and libmysqlclient15-dev
packages.
- debian/rules:
- Apply same configuration options on lpia as for i386.
- Replace --with-comment="Debian" with --with-comment="Ubuntu".
- debian/additions/my.cnf:
Add note about the "/etc/mysql/conf.d" directory in my.cnf.
- debian/patches/56-mysqlhotcopy-invalid-dbtable.dpatch:
Fixed mysqlhotcopy failure.
- debian/patches/57-fix-mysqlslowdump-config.dpatch:
Fixed mysqlslowdump usage.
* Dropped:
- debian/rules:
- Support DEB_BUILD_OPTIONS option 'nocheck' to skip tests.
* debian/control:
- Add build dependency on texlive-extra-utils.
[ Jamie Strandboge ]
* add AppArmor profile
+ debian/apparmor-profile
+ debian/mysql-server-5.0.postinst: Reload AA profile on configuration
* updated debian//mysql-server-5.0.README.Debian for note on AppArmor
* debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
should now take control
* debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
to make sure that if earlier version of apparmor-profiles gets installed
it won't overwrite our profile
mysql-dfsg-5.0 (5.0.51a-1) unstable; urgency=low
[ Norbert Tretkowski ]
* New upstream security hotfix release. Low priority upload anyway because
5.0.51-3 already contained all security fixes.
* Remove patches:
+ debian/patches/51_mysqlcheck-result.dpatch
+ debian/patches/92_SECURITY_CVE-2007-6303.dpatch
+ debian/patches/93_SECURITY_CVE-2007-6304.dpatch
+ debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch
* Add recommendation on libhtml-template-perl to -server package, used by
ndb_size. (closes: #462265)
* New patch 60_raise-max-keylength.dpatch to raise the maximum key length to
4005 bytes or 1335 UTF-8 characters. (closes: #463137)
* New patch 51_sort-order.dpatch from 5.0.52 to fix incorrect order when
using range conditions on 2 tables or more.
* Support DEB_BUILD_OPTIONS option 'nocheck' to skip tests.
* Update mysqlreport to 3.4a release.
[ Luk Claes ]
* Updated Japanese debconf translation. (closes: #462158)
-- Mathias Gug <email address hidden> Thu, 14 Feb 2008 13:47:59 -0500
-
mysql-dfsg-5.0 (5.0.51-3ubuntu2) hardy; urgency=low
* Fix man page conflicts. (LP: #189187)
-- Chuck Short <email address hidden> Tue, 05 Feb 2008 11:45:06 -0500
-
mysql-dfsg-5.0 (5.0.51-3ubuntu1) hardy; urgency=low
[Mathias Gug]
* Merge from debian unstable, remaining changes:
- debian/control:
- Set Maintainer to Ubuntu Core dev. Move Debian maintainer
to XSBC-Original-Maintainer.
- Add mysql-doc-5.0 as a Suggests to mysql-client-5.0, mysql-server-5.0
and libmysqlclient15-dev.
- debian/rules: Apply same configuration options on lpia as for i386.
* debian/control:
- Preprend XS-Original- to Vcs-{Browser,Svn}.
* debian/rules:
- Support DEB_BUILD_OPTIONS option 'nocheck' to skip tests.
* Dropped patches:
- debian/patches/91_bug29389.dpatch:
fix for mysql bug 27383 which causes mysql-test 'mysql_client_test'
to fail due to gcc 4.x optimizations.
- debian/libmysqlclient15-dev.files, debian/mysql-client-5.0.files,
debian/mysql-server-5.0.files: man pages are GPLed now.
* Improved error message when unable to connect using debian-sys-maint. (LP:
#153868)
[Chuck Short]
* Replcaed --with-comment="Debian" with --with-comment="Ubuntu" in debian/rules (LP: #134384)
* Added note about the "/etc/mysql/conf.d" directory in my.cnf (LP: #136225)
* Fixed mysqlhotcopy failure. (LP: #162393)
* Fixed mysqlslowdump usage. Added patch from Arnold Daniels <email address hidden>. (LP: #183762)
-- Mathias Gug <email address hidden> Fri, 25 Jan 2008 04:10:49 -0500
-
mysql-dfsg-5.0 (5.0.45-3ubuntu1) hardy; urgency=low
* Merge from Debian unstable. Remaining Ubuntu changes:
- debian/control:
- Set Maintainer to Ubuntu Core dev. Move Debian maintainer
to XSBC-Original-Maintainer.
- Add mysql-doc-5.0 as a Suggests to mysql-client-5.0, mysql-server-5.0
and libmysqlclient15-dev.
- debian/rules: Apply same configuration options on lpia as for i386.
- debian/patches/91_bug29389.dpatch:
fix for mysql bug 27383 which causes mysql-test 'mysql_client_test'
to fail due to gcc 4.x optimizations.
- debian/libmysqlclient15-dev.files, debian/mysql-client-5.0.files,
debian/mysql-server-5.0.files: remove dummy man pages, as they are
shipped in mysql-doc-5.0 package in the restricted repository.
mysql-dfsg-5.0 (5.0.45-3) unstable; urgency=high
* SECURITY:
Fix for CVE-2007-5925: The convert_search_mode_to_innobase function in
ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows
remote authenticated users to cause a denial of service (database crash)
via a certain CONTAINS operation on an indexed column, which triggers an
assertion error. (closes: #451235)
mysql-dfsg-5.0 (5.0.45-2) unstable; urgency=low
* Package is now team-maintained. (closes: #421026)
[ Sean Finney ]
* New/updated debconf translations:
- Spanish, from Javier Fernández-Sanguino Peña (closes: #426442).
- German, from Alwin Meschede (closes: #426545).
- Danish, from Claus Hindsgaul (closes: #426783).
- French, from Christian Perrier (closes: #430944).
* Add Recommends on libterm-readkey-perl for mysql-client-5.0 package, used
by mysqlreport add-on to mask password entry (closes: #438375).
[ Norbert Tretkowski ]
* Add myself to uploaders.
* Suggest usage of an update statement on the user table to change the mysql
root user password instead using mysqladmin, to catch all root users from
all hosts. (closes: #435744)
* Remove informations about a crash in the server during flush-logs when
having expire_logs_days enabled but log-bin not, this bug was fixed in
5.0.32 already. (closes: #368547)
* Disable log_bin option in default config file and add a note to the NEWS
file. (closes: #349661)
* Fix FTBFS if build twice in a row. (closes: #442684)
* Remove check for buggy options from init script.
* Update innotop to 1.6.0 release.
* Add mysqlreport and innotop to mysql-client description.
* Use shorter server version string.
-- Mathias Gug <email address hidden> Wed, 21 Nov 2007 13:20:05 -0500
-
mysql-dfsg-5.0 (5.0.45-1ubuntu3) gutsy; urgency=low
* fix for mysql bug 27383 which causes mysql-test 'mysql_client_test'
to fail due to gcc 4.x optimizations
-- Jamie Strandboge <email address hidden> Tue, 02 Oct 2007 19:28:58 +0000