From 148a89c268795c3858efc62e2385ec0df491db20 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 9 Nov 2006 23:31:23 +0000 Subject: [PATCH] Update to MySQL 5.0.27, fix a couple minor issues noted in changelog entry. --- .cvsignore | 2 +- mysql-bdb-link.patch | 31 +++++++++++++ mysql-ssl-bugs.patch | 101 +++++++++++++++++++++++++++++++++++++++++++ mysql.init | 1 + mysql.spec | 24 ++++++++-- sources | 2 +- 6 files changed, 156 insertions(+), 5 deletions(-) create mode 100644 mysql-bdb-link.patch create mode 100644 mysql-ssl-bugs.patch diff --git a/.cvsignore b/.cvsignore index 42d20c6..f3c0171 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -mysql-5.0.22.tar.gz +mysql-5.0.27.tar.gz diff --git a/mysql-bdb-link.patch b/mysql-bdb-link.patch new file mode 100644 index 0000000..736a588 --- /dev/null +++ b/mysql-bdb-link.patch @@ -0,0 +1,31 @@ +Fix link flags, per RH bug #199368. + +Probably no point in filing this upstream, since MySQL AB is dropping BDB +support; we won't need it ourselves when we move to mysql 5.1. + + +diff -Naur mysql-5.0.27.orig/bdb/dist/Makefile.in mysql-5.0.27/bdb/dist/Makefile.in +--- mysql-5.0.27.orig/bdb/dist/Makefile.in 2006-10-20 20:22:38.000000000 -0400 ++++ mysql-5.0.27/bdb/dist/Makefile.in 2006-11-08 19:25:24.000000000 -0500 +@@ -52,8 +52,9 @@ + ################################################## + CPPFLAGS= -I$(builddir) -I$(srcdir) -I$(srcdir)/dbinc @CPPFLAGS@ + CFLAGS= -c $(CPPFLAGS) @CFLAGS@ ++LOPTFLAGS= $(CPPFLAGS) @CFLAGS@ + CC= @MAKEFILE_CC@ +-CCLINK= @MAKEFILE_CCLINK@ ++CCLINK= @MAKEFILE_CCLINK@ $(LOPTFLAGS) + + LDFLAGS= @LDFLAGS@ + LIBS= @LIBS@ +@@ -74,8 +75,8 @@ + ################################################## + CXXFLAGS= -c $(CPPFLAGS) @CXXFLAGS@ + CXX= @MAKEFILE_CXX@ +-CXXLINK= @MAKEFILE_CXXLINK@ +-XSOLINK= @MAKEFILE_XSOLINK@ ++CXXLINK= @MAKEFILE_CXXLINK@ $(LOPTFLAGS) ++XSOLINK= @MAKEFILE_XSOLINK@ $(LOPTFLAGS) + LIBXSO_LIBS= @LIBXSO_LIBS@ + + libcxx= libdb_cxx.a diff --git a/mysql-ssl-bugs.patch b/mysql-ssl-bugs.patch new file mode 100644 index 0000000..6e5553a --- /dev/null +++ b/mysql-ssl-bugs.patch @@ -0,0 +1,101 @@ +Workarounds for recently-introduced SSL breakage, filed as upstream bugs +#24121, #24148, and #24157. + +I believe the client.c fix is actually correct. + +The viossl.c patch is just a crude reversion to the 5.0.22 approach to work +around brain death in close_connection(). I don't know the mysql code well +enough to venture changing the locking logic in close_connection(), though. + +Also, change openssl_1 test to agree with the test certificate included in the +distribution. And in viosslfactories.c, suppress ERR_print_errors_fp which +gives system-dependent error messages, since that breaks the openssl_1 test +(which has evidently only been tested with yassl, if at all). + + +diff -Naur mysql-5.0.27.orig/sql-common/client.c mysql-5.0.27/sql-common/client.c +--- mysql-5.0.27.orig/sql-common/client.c 2006-10-20 20:22:26.000000000 -0400 ++++ mysql-5.0.27/sql-common/client.c 2006-11-08 19:20:49.000000000 -0500 +@@ -2949,7 +2949,7 @@ + mysql->reconnect= *(my_bool *) arg; + break; + case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: +- if (!arg || test(*(uint*) arg)) ++ if (!arg || test(*(my_bool*) arg)) + mysql->options.client_flag|= CLIENT_SSL_VERIFY_SERVER_CERT; + else + mysql->options.client_flag&= ~CLIENT_SSL_VERIFY_SERVER_CERT; +diff -Naur mysql-5.0.27.orig/vio/viossl.c mysql-5.0.27/vio/viossl.c +--- mysql-5.0.27.orig/vio/viossl.c 2006-10-20 20:23:11.000000000 -0400 ++++ mysql-5.0.27/vio/viossl.c 2006-11-09 13:57:32.000000000 -0500 +@@ -119,19 +119,10 @@ + + if (ssl) + { +- switch ((r= SSL_shutdown(ssl))) +- { +- case 1: /* Shutdown successful */ +- break; +- case 0: /* Shutdown not yet finished, call it again */ +- if ((r= SSL_shutdown(ssl) >= 0)) +- break; +- /* Fallthrough */ +- default: /* Shutdown failed */ ++ r = SSL_shutdown(ssl); ++ if (r < 0) + DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %s", + SSL_get_error(ssl, r))); +- break; +- } + SSL_free(ssl); + vio->ssl_arg= 0; + } +diff -Naur mysql-5.0.27.orig/mysql-test/r/openssl_1.result mysql-5.0.27/mysql-test/r/openssl_1.result +--- mysql-5.0.27.orig/mysql-test/r/openssl_1.result 2006-10-20 20:36:44.000000000 -0400 ++++ mysql-5.0.27/mysql-test/r/openssl_1.result 2006-11-09 15:11:47.000000000 -0500 +@@ -3,8 +3,8 @@ + insert into t1 values (5); + grant select on test.* to ssl_user1@localhost require SSL; + grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA"; +-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; +-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; ++grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com"; ++grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; + grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx"; + flush privileges; + connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET); +diff -Naur mysql-5.0.27.orig/mysql-test/t/openssl_1.test mysql-5.0.27/mysql-test/t/openssl_1.test +--- mysql-5.0.27.orig/mysql-test/t/openssl_1.test 2006-10-20 20:36:43.000000000 -0400 ++++ mysql-5.0.27/mysql-test/t/openssl_1.test 2006-11-09 15:10:29.000000000 -0500 +@@ -10,8 +10,8 @@ + + grant select on test.* to ssl_user1@localhost require SSL; + grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA"; +-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; +-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; ++grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com"; ++grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; + grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx"; + flush privileges; + +diff -Naur mysql-5.0.27.orig/vio/viosslfactories.c mysql-5.0.27/vio/viosslfactories.c +--- mysql-5.0.27.orig/vio/viosslfactories.c 2006-10-20 20:22:39.000000000 -0400 ++++ mysql-5.0.27/vio/viosslfactories.c 2006-11-09 16:02:14.000000000 -0500 +@@ -88,7 +88,7 @@ + DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file)); + /* FIX stderr */ + fprintf(stderr,"Error when connection to server using SSL:"); +- ERR_print_errors_fp(stderr); ++ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr);); + fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file); + fflush(stderr); + DBUG_RETURN(1); +@@ -102,7 +102,7 @@ + DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file)); + /* FIX stderr */ + fprintf(stderr,"Error when connection to server using SSL:"); +- ERR_print_errors_fp(stderr); ++ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr);); + fprintf(stderr,"Unable to get private key from '%s'\n", key_file); + fflush(stderr); + DBUG_RETURN(1); diff --git a/mysql.init b/mysql.init index c6041d6..fce6e34 100644 --- a/mysql.init +++ b/mysql.init @@ -87,6 +87,7 @@ start(){ if [ $STARTTIMEOUT -eq 0 ]; then echo "Timeout error occurred trying to start MySQL Daemon." action $"Starting $prog: " /bin/false + ret=1 else action $"Starting $prog: " /bin/true fi diff --git a/mysql.spec b/mysql.spec index ecf64ca..0c08270 100644 --- a/mysql.spec +++ b/mysql.spec @@ -1,6 +1,6 @@ Name: mysql -Version: 5.0.22 -Release: 2.1 +Version: 5.0.27 +Release: 1%{?dist} Summary: MySQL client programs and shared libraries. License: GPL Group: Applications/Databases @@ -24,6 +24,8 @@ Patch5: mysql-no-atomic.patch Patch6: mysql-rpl_ddl.patch Patch7: mysql-rpl-test.patch Patch8: mysql-install-test.patch +Patch9: mysql-bdb-link.patch +Patch10: mysql-ssl-bugs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root Prereq: /sbin/ldconfig, /sbin/install-info, grep, fileutils, chkconfig @@ -114,6 +116,8 @@ the MySQL sources. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 libtoolize --force aclocal @@ -284,7 +288,6 @@ fi %{_bindir}/mysqlbinlog %{_bindir}/mysqlcheck %{_bindir}/mysqldump -%{_bindir}/mysqldumpslow %{_bindir}/mysqlimport %{_bindir}/mysqlshow @@ -348,8 +351,10 @@ fi %{_bindir}/mysql_setpermission %{_bindir}/mysql_tzinfo_to_sql %{_bindir}/mysql_upgrade +%{_bindir}/mysql_upgrade_shell %{_bindir}/mysql_zap %{_bindir}/mysqlbug +%{_bindir}/mysqldumpslow %{_bindir}/mysqld_multi %{_bindir}/mysqld_safe %{_bindir}/mysqlhotcopy @@ -372,6 +377,7 @@ fi %{_mandir}/man1/myisam_ftdump.1.gz %{_mandir}/man1/mysql.server.1.gz %{_mandir}/man1/mysql_config.1.gz +%{_mandir}/man1/mysql_explain_log.1.gz %{_mandir}/man1/mysql_fix_privilege_tables.1* %{_mandir}/man1/mysql_upgrade.1* %{_mandir}/man1/mysql_zap.1* @@ -387,6 +393,8 @@ fi %{_mandir}/man1/perror.1* %{_mandir}/man1/replace.1* %{_mandir}/man1/safe_mysqld.1* +%{_mandir}/man8/mysqld.8* +%{_mandir}/man8/mysqlmanager.8* %dir %{_datadir}/mysql %{_datadir}/mysql/errmsg.txt @@ -414,6 +422,16 @@ fi %attr(-,mysql,mysql) %{_datadir}/mysql-test %changelog +* Wed Nov 8 2006 Tom Lane 5.0.27-1 +- Update to MySQL 5.0.27 (see CVE-2006-4031, CVE-2006-4226, CVE-2006-4227) +Resolves: #202247, #202675, #203427, #203428, #203432, #203434, #208641 +- Fix init script to return status 1 on server start timeout +Resolves: #203910 +- Move mysqldumpslow from base package to mysql-server +Resolves: #193559 +- Adjust link options for BDB module +Resolves: #199368 + * Wed Jul 12 2006 Jesse Keating - 5.0.22-2.1 - rebuild diff --git a/sources b/sources index d8c3700..28502fc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b0533dce52a3147234e588f51affbcab mysql-5.0.22.tar.gz +584d423440a9d9c859678e3d4f2690b3 mysql-5.0.27.tar.gz