Patches for CVE-2006-0903 and CVE-2006-1516..8 - Christian Hammers - com.mysql.lists.packagers

1 message in com.mysql.lists.packagersPatches for CVE-2006-0903 and CVE-200...

From	Sent On	Attachments
Christian Hammers	09 May 2006 05:47

Subject:	Patches for CVE-2006-0903 and CVE-2006-1516..8
From:	Christian Hammers (ch...@debian.org)
Date:	05/09/2006 05:47:17 AM
List:	com.mysql.lists.packagers

Hello

We backported patches for the recent security problems to MySQL 3.23.49, 4.0.24 and 4.1.11 and put them (inside the .diff.gz) on http://www.lathspell.de/linux/debian/mysql/ in case it helps other distributions who prepare security updates for their older releases, too. One upstream patch for a more recent 4.0 version can be found here: http://lists.mysql.com/commits/5500

Apropos... To MySQL: it would be really beneficial for us distribution packagers if in the case of security problems, you would make an announcement on this list with URLs to small patches for at least every major version. This saves us a alot of time comparing versions, begging for bitkeeper commit urls and trying to find nonexisting bug tracking system entries...

bye,

-christian-

P.S.: 4.0 was fixed by mysql for CVE-2006-1517 but it seemed to us as if at
least 4.0.24 was not vulnerable as the PoC exploit did not work. This was
confirmed by Stefano DiPaolo, the original bugtraq reporter. We left the patch applied
nevertheless.