maria-developers team mailing list archive

Thread
Date

Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?

To: Christian Rebischke <chris.rebischke@xxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Sun, 25 Oct 2015 19:38:19 +0100
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20151025165109.GA18215@trudy>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi, Christian!

On Oct 25, Christian Rebischke wrote:
> Hello,
> Sorry for disturbing again. On your security page
> https://mariadb.com/kb/en/mariadb/security/ are the following CVE's
> missing:
...
> I am not sure if mariadb is affected by them or not. Would be awesome
> if you could add them at the right section :-)

Not affected, that's why they aren't listed. The security page lists all
CVEs that affected MariaDB and the version when they were fixed. CVEs
that never affected us are not listed.

> CVE-2015-4910

It's for memcached plugin, we don't have it.

> CVE-2015-4905
> CVE-2015-4904
> CVE-2015-4895
> CVE-2015-4862
> CVE-2015-4833
> CVE-2015-4800
> CVE-2015-4791
> CVE-2015-4766

They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5
was the last version when we merged everything from MySQL. That is,
MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and
Performance Schema from 5.6.

Regards,
Sergei
security@xxxxxxxxxxx

Follow ups

Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?
From: Otto Kekäläinen, 2015-10-25

References

Several CVE's in Oracle MySQL, is MariaDB vulnerable?
From: Christian Rebischke, 2015-10-23
Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?
From: Daniel Black, 2015-10-23
Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?
From: Sergei Golubchik, 2015-10-23
Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?
From: Christian Rebischke, 2015-10-25