← Back to team overview

maria-developers team mailing list archive

Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?


Hello Serg!

2015-10-25 20:38 GMT+02:00 Sergei Golubchik <serg@xxxxxxxxxxx>:
> On Oct 25, Christian Rebischke wrote:
>> Hello,
>> Sorry for disturbing again. On your security page
>> https://mariadb.com/kb/en/mariadb/security/ are the following CVE's
>> missing:
> ...
>> I am not sure if mariadb is affected by them or not. Would be awesome
>> if you could add them at the right section :-)
> Not affected, that's why they aren't listed. The security page lists all
> CVEs that affected MariaDB and the version when they were fixed. CVEs
> that never affected us are not listed.
>> CVE-2015-4910
> It's for memcached plugin, we don't have it.
>> CVE-2015-4905
>> CVE-2015-4904
>> CVE-2015-4895
>> CVE-2015-4862
>> CVE-2015-4833
>> CVE-2015-4800
>> CVE-2015-4791
>> CVE-2015-4766
> They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5
> was the last version when we merged everything from MySQL. That is,
> MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and
> Performance Schema from 5.6.

It would be nice if the page
https://mariadb.com/kb/en/mariadb/security/ also had a section that
was explicit about that Oracle CVEs do _not_ affect MariaDB, because I
am sure many people wonder on how what the status might be for
non-listed CVEs.

..wait, it does indeed have the section "CVE's affecting Oracle MySQL"
at the very end. Can you please update it?
The Debian security tracker
lists two CVEs as undetermined, can you say if CVE-2015-4737 and
CVE-2015-2620 affect MariaDB 10.0 or not?

- Otto

Follow ups