Hi! On 15 Feb 2012, at 00:49, Marc Deslauriers wrote:
We are unable to determine what the recent MySQL security fixes are due to lack of details, and unclear commit messages.
Based on our analysis of commits and bugs, we believe the CPU (critical patch update) that Oracle released was actually for a lot of bugs that have already been fixed in past versions of MySQL. They just seemed to have decided to "bulk it up" and place it in one update. Of course Oracle has not come up with an official statement and don't seem to be interested to do so. What is clear is that these bugs are not "new", and were not found from October 2011 - January 2012. Of course we cannot be sure, but it would seem irresponsible of Oracle to state that the bugs referenced current community releases of MySQL (5.5.21, 5.1.61 - eg. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0492). In fact the current GA is 5.5.20, and that advisory is listed as "high" in the CPU From a blog post by an Oracle employee that is now not online, the reference to fixed bugs were: 1. Bug #11759688 2. Bug #52020 3. Bug #13358468 4. Bug #54082 5. Bug #11761576 6. Bug #51252 7. Bug #11758979 8. Bug #48726 9. Bug #11756764 10. Bug #42784 11. Bug #11751793 12. Bug #45546 13. Bug #11754011 14. Bug #13427949 15. Bug #11745230 16. Bug #12133 17. Bug #13116225 18. Bug #11759688 19. Bug #13358468 20. Bug #63020 21. Bug #13344643 Sadly, even in his reference, there are lots of bugs that are only kept in a closed bug system that Oracle has (basically anything with more than 5 digits in the bug number reference the closed bug system) -- Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles MariaDB: Community developed. Feature enhanced. Backward compatible. Download it at: http://www.mariadb.org/ Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/