# MySQL 8 port is two releases behind... suffers from CVEs...



## sean137 (May 17, 2021)

Hi all. I see on freshports that MySQL in ports is at 8.0.23.  Yet 8.0.25 has been out for a week, and 8.0.24 was released almost a month ago.  `pkg audit` reports that 8.0.23 suffers from many CVEs.

Is it typical that this port does not stay more up-to-date?


----------



## covacat (May 17, 2021)

can't speak for 8 but 5.7 is not much better either


----------



## sean137 (May 17, 2021)

I haven't been using the MySQL port for long, is it usually up-to-date, and this situation is a one-off?


----------



## richardtoohey2 (May 18, 2021)

I'm on 5.7 and this situation is unusual in the years up until this year (or maybe tail-end of last year).

One of the recent MySQL 5.7 updates seemed to be taking a long time to be released on FreeBSD so I thought "how hard can it be?" and downloaded the old and new versions and diffed them.

I thought there might be a hundred changes ... I was wrong!

I don't know why but Oracle/MySQL seem to stuff hundreds of other changes in each dot release (might have expected that with 8.0 but not the older 5.7).  Entire build system changed or massively tweaked, SSL requirements changed, unrelated changes, etc.  So what should be a reasonably-sized job becomes a monster.  Thousands of changes ... are they all needed?  What do they do?  How do you test?

It made me appreciate the FreeBSD porters a lot more.

Doesn't help any of us waiting for the new versions to be released.

From Twitter: 



__ https://twitter.com/i/web/status/1386756765337915398_View: https://twitter.com/joneum/status/1386756765337915398_


And in case the link doesn't work I have copy & pasted:




_joneum

@joneum


another coffee, and then start working on the #FreeBSD updates for #MySQL. Looks again like a lot has changed in the #cmake files

6:59 AM · Apr 27, 2021·TweetDeck_

He hasn't posted on Twitter since then, so probably still checking cmake file changes!


----------



## CyberCr33p (May 19, 2021)

I tried to create a patch for 5.7 without success:





__





						255748 – databases/mysql57-server: Update to 5.7.34 (fixes security vulnerabilities??)
					






					bugs.freebsd.org


----------



## covacat (May 20, 2021)

CyberCr33p said:


> I tried to create a patch for 5.7 without success:
> 
> 
> 
> ...


patch 
work/mysql-5.7.34/sql/locks/shared_spin_lock.cc
at line 246 make both branches like #ifdef APPLE 
my_atomic_store64(&this->m_exclusive_owner, reinterpret_cast<int64>(self));
change port Makefile
at CMAKE_ARGS => WITH_DEBUG=1 (from WITH_DEBUG=0)
kill all the patches in files/*
and it builds (with lots of warnings)


----------



## CyberCr33p (May 20, 2021)

Can you also post your reply in the PR?


----------



## covacat (May 20, 2021)

CyberCr33p said:


> Can you also post your reply in the PR?


posted. lots of stuff breaks in inno-storage because -DUNIV_DEBUG is missing (so WITH_DEBUG=1)
also i dont know what side effects might be because i killed all the original patches (mostly of cmakefiles)


----------



## richardtoohey2 (May 20, 2021)

8.0.25 is in ports: https://cgit.freebsd.org/ports/commit/?id=c7fbbf15f3b8471c85f4c404c61fb2c9fbe1b923


----------

