[Pkg-mysql-commits] r1323 - in trunk/debian: . patches
Norbert Tretkowski
nobse at alioth.debian.org
Wed Oct 22 10:11:47 UTC 2008
Author: nobse
Date: 2008-10-22 10:11:46 +0000 (Wed, 22 Oct 2008)
New Revision: 1323
Removed:
trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch
Modified:
trunk/debian/changelog
Log:
Remove fix for CVE-2008-4456 for now, not approved from MySQL.
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2008-10-09 06:53:30 UTC (rev 1322)
+++ trunk/debian/changelog 2008-10-22 10:11:46 UTC (rev 1323)
@@ -1,10 +1,5 @@
-mysql-dfsg-5.0 (5.0.51a-16) UNRELEASED; urgency=high
+mysql-dfsg-5.0 (5.0.51a-16) unstable; urgency=low
- * SECURITY:
- Fix for CVE-2008-4456: Cross-site scripting (XSS) vulnerability in the
- command-line client, when the --html option is enabled, allows attackers
- to inject arbitrary web script or HTML by placing it in a database cell,
- which might be accessed by this client when composing an HTML document.
* New patch 60_rpl_test_failure.dpatch from Michael Casadevall to fix a race
condition with the rpl_packet test in some cases. (closes: #501413)
Deleted: trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch
===================================================================
--- trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch 2008-10-09 06:53:30 UTC (rev 1322)
+++ trunk/debian/patches/94_SECURITY_CVE-2008-4456.dpatch 2008-10-22 10:11:46 UTC (rev 1323)
@@ -1,36 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 94_SECURITY_CVE-2008-4456.dpatch by Norbert Tretkowski <nobse at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix for CVE-2008-4456
-
- at DPATCH@
-=== modified file 'client/mysql.cc'
---- client/mysql.cc 2007-11-13 13:29:42 +0000
-+++ client/mysql.cc 2008-05-01 19:16:09 +0000
-@@ -2636,9 +2636,12 @@
- {
- while((field = mysql_fetch_field(result)))
- {
-- tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ?
-- (field->name[0] ? field->name :
-- " ") : "NULL"));
-+ tee_fputs("<TH>", PAGER);
-+ if (field->name && field->name[0])
-+ xmlencode_print(field->name, field->name_length);
-+ else
-+ tee_fputs(field->name ? " " : "NULL", PAGER);
-+ tee_fputs("</TH>", PAGER);
- }
- (void) tee_fputs("</TR>", PAGER);
- }
-@@ -2651,7 +2654,7 @@
- for (uint i=0; i < mysql_num_fields(result); i++)
- {
- (void) tee_fputs("<TD>", PAGER);
-- safe_put_field(cur[i],lengths[i]);
-+ xmlencode_print(cur[i], lengths[i]);
- (void) tee_fputs("</TD>", PAGER);
- }
- (void) tee_fputs("</TR>", PAGER);
-
More information about the Pkg-mysql-commits
mailing list