Debian Bug report logs - #664554
RFP: libtaocrypt -- portable, fast, cryptographic library

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Ondřej Surý <ondrej@debian.org>

Date: Wed, 18 May 2011 17:48:01 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#627207; Package mysql-5.1. (Wed, 18 May 2011 17:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Wed, 18 May 2011 17:48:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mysql-5.1: Embedded libraries (yassl + taocrypt)
Date: Wed, 18 May 2011 18:37:10 +0200
Package: mysql-5.1
Version: 5.1.57-1
Severity: wishlist

While debugging the FTBFS on i386 I have found two embedded libraries
included in MySQL source code: yassl (extra/yassl) and taocrypt
(extra/yassl/taocrypt), both available from www.yassl.com as separate
libraries.

Since it is against the policy (although only 'should') and it's a
hell from security POV[1], it would be much better to package those two
libraries separately and link MySQL against separate packages if
possible (there could be some MySQL source changes which would
disallow to do so).

Other thing which hit me is that MySQL AB blatantly relicenced the
source code of both libraries, which might be violation of GPL.  Or
there is some background agreement between the MySQL AB/Oracle and
Sawtooth Consulting Ltd. which is not visible from the source code.
Please note that this relicensing might raise the severity to RC, but
since the www.yassl.com lists the MySQL as a user of their libraries,
I guess they are ok with it.


1. Are you able to tell if any of those security advisories listed 
   here: http://secunia.com/advisories/product/6145/ apply to MySQL?
   I am not even able to tell which version of yaSSL is bundled
   with MySQL.  It seems to me that it's 1.6.0 and it is vulnerable
   to: http://aluigi.altervista.org/adv/yasslick-adv.txt

O.

-- System Information:
Debian Release: squeeze/sid
  APT prefers natty-updates
  APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty'), (100, 'natty-backports')
Architecture: i386 (i686)

Kernel: Linux 2.6.38-8-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Bug 627207 cloned as bugs 664553, 664554 Request was from Nicholas Bamber <nicholas@periapt.co.uk> to control@bugs.debian.org. (Sun, 18 Mar 2012 21:30:05 GMT) Full text and rfc822 format available.

Bug reassigned from package 'mysql-5.1' to 'wnpp'. Request was from Nicholas Bamber <nicholas@periapt.co.uk> to control@bugs.debian.org. (Sun, 18 Mar 2012 21:30:07 GMT) Full text and rfc822 format available.

No longer marked as found in versions 5.1.57-1. Request was from Nicholas Bamber <nicholas@periapt.co.uk> to control@bugs.debian.org. (Sun, 18 Mar 2012 21:30:08 GMT) Full text and rfc822 format available.

Changed Bug title to 'RFP: libtaocrypt - portable, fast, cryptographic library' from 'mysql-5.1: Embedded libraries (yassl + taocrypt)' Request was from Nicholas Bamber <nicholas@periapt.co.uk> to control@bugs.debian.org. (Sun, 18 Mar 2012 21:30:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#664554; Package wnpp. (Sun, 18 Mar 2012 22:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Sun, 18 Mar 2012 22:45:06 GMT) Full text and rfc822 format available.

Message #18 received at 664554@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: 664554@bugs.debian.org
Subject: details
Date: Sun, 18 Mar 2012 22:40:27 +0000
Package name: libtaocrypt
Version: 0.9.6
Upstream author: yassl.com
URL: http://freecode.com/projects/taocrypt
License: GPL
Programming Lang: C++


TaoCrypt is a portable, fast, cryptographic library for most needs. Its
features include one way hash functions: SHA-1, MD2, MD4, MD5,
RIPEMD-160; message authentication codes: HMAC; block ciphers: DES,
Triple-DES, AES, Blowfish, Twofish; stream ciphers: ARC4; public key
cryptography: RSA, DSA, Diffie-Hellman; password based key derivation:
PBKDF2 from PKCS #5; a pseudo random number generator and large integer
support. There is also support for Base 16/64 encoding/decoding, DER
encoding/decoding, and X.509 processing.





Changed Bug title to 'RFP: libtaocrypt -- portable, fast, cryptographic library' from 'RFP: libtaocrypt - portable, fast, cryptographic library' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Mon, 26 Mar 2012 02:51:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:05:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.