MySQL 5.5.25a - CVE-2012-2122

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
188
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

5.5.25a was released, however, custombuild is still on 5.5.25.
 
I stand corrected. It is indeed listed in the versions file and shows up when I do ./build versions. I just can't coach custombuild to download and install it. On 1 server it even sticks to 5.5.23 even though ./build versions says 5.5.25a is available.
 
I'm sorry. Usually updates are downloaded when ./build update is run. When executing ./build mysql it does get downloaded. Thnx for setting me straight.
 
The build update yes just download new files (should download mysql rpms too i suppose but im not sure).

build mysql for sure install latest version, and, if file are not present (and this is valid for any software afaik) it download latest and than install them.

Is your problem solved now?

Regards
 
./build update doesn't download MySQL as it should be. The MySQL will downloaded only when you run ./build mysql or ./build update_versions.

I've asked smtalk about this a while ago and remember that he said it's because the script has the problem with some other Linux beside CentOS. So, he keeps it that way for now.
 
Back
Top