← Back to team overview

maria-developers team mailing list archive

Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?


----- On 26 Oct, 2015, at 6:00 AM, Otto Kekäläinen otto@xxxxxxxxx wrote:

> Hello Serg!
> 2015-10-25 20:38 GMT+02:00 Sergei Golubchik <serg@xxxxxxxxxxx>:

>> They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5
>> was the last version when we merged everything from MySQL. That is,
>> MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and
>> Performance Schema from 5.6.

Good summary info.

> It would be nice if the page
> https://mariadb.com/kb/en/mariadb/security/ also had a section that
> was explicit about that Oracle CVEs do _not_ affect MariaDB, because I
> am sure many people wonder on how what the status might be for
> non-listed CVEs.
> ..wait, it does indeed have the section "CVE's affecting Oracle MySQL"
> at the very end. Can you please update it?

Its probably a real pain to keep this list updated. Something like "we've checked CVE before and including (CVE-2015-4910) and only the CVEs listed above affect MariadDB"  would be sufficient.

Daniel Black, Engineer @ Open Query (http://openquery.com.au)
Remote expertise & maintenance for MySQL/MariaDB server environments.

Follow ups