Bug #89104 Fetch Boost library over a secure connection
Submitted: 4 Jan 2018 12:47 Modified: 5 Jan 2018 18:56
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Packaging Severity:S3 (Non-critical)
Version:8.0.3 OS:Any
Assigned to: CPU Architecture:Any
Tags: boost, https, rpm, Security, SSL, tls

[4 Jan 2018 12:47] Daniël van Eeden
$ git grep http://downloads.sourceforge.net
packaging/rpm-docker/mysql.spec.in:Source1:        http://downloads.sourceforge.net/boost/@BOOST_PACKAGE_NAME@.tar.bz2
packaging/rpm-fedora/mysql.spec.in:Source1:        http://downloads.sourceforge.net/boost/@BOOST_PACKAGE_NAME@.tar.bz2
packaging/rpm-oel/mysql.spec.in:Source10:       http://downloads.sourceforge.net/boost/@BOOST_PACKAGE_NAME@.tar.bz2
packaging/rpm-sles/mysql.spec.in:Source10:       http://downloads.sourceforge.net/boost/@BOOST_PACKAGE_NAME@.tar.bz2

How to repeat:
Inspect the .spec files

Suggested fix:
sed -i 's#http://downloads.sourceforge.net#https://downloads.sourceforge.net#g' packaging/*/mysql.spec.in
[4 Jan 2018 13:32] MySQL Verification Team
Hello Daniël,

Thank you for the report and feedback.

[5 Jan 2018 18:56] Paul DuBois
Posted by developer:
Fixed in 5.7.22, 8.0.5, 9.0.0.

Builds using RPM source packages now use a secure connection if Boost
must be downloaded.