← Back to team overview

maria-developers team mailing list archive

Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?

 

Hello Serg!

2015-10-25 20:38 GMT+02:00 Sergei Golubchik <serg@xxxxxxxxxxx>:
> On Oct 25, Christian Rebischke wrote:
>> Hello,
>> Sorry for disturbing again. On your security page
>> https://mariadb.com/kb/en/mariadb/security/ are the following CVE's
>> missing:
> ...
>> I am not sure if mariadb is affected by them or not. Would be awesome
>> if you could add them at the right section :-)
>
> Not affected, that's why they aren't listed. The security page lists all
> CVEs that affected MariaDB and the version when they were fixed. CVEs
> that never affected us are not listed.
>
>> CVE-2015-4910
>
> It's for memcached plugin, we don't have it.
>
>> CVE-2015-4905
>> CVE-2015-4904
>> CVE-2015-4895
>> CVE-2015-4862
>> CVE-2015-4833
>> CVE-2015-4800
>> CVE-2015-4791
>> CVE-2015-4766
>
> They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5
> was the last version when we merged everything from MySQL. That is,
> MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and
> Performance Schema from 5.6.


It would be nice if the page
https://mariadb.com/kb/en/mariadb/security/ also had a section that
was explicit about that Oracle CVEs do _not_ affect MariaDB, because I
am sure many people wonder on how what the status might be for
non-listed CVEs.

..wait, it does indeed have the section "CVE's affecting Oracle MySQL"
at the very end. Can you please update it?
.
The Debian security tracker
https://security-tracker.debian.org/tracker/source-package/mariadb-10.0
lists two CVEs as undetermined, can you say if CVE-2015-4737 and
CVE-2015-2620 affect MariaDB 10.0 or not?

- Otto


Follow ups

References