maria-developers team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Otto!

On Oct 25, Otto Kekäläinen wrote:
> 
> It would be nice if the page
> https://mariadb.com/kb/en/mariadb/security/ also had a section that
> was explicit about that Oracle CVEs do _not_ affect MariaDB, because I
> am sure many people wonder on how what the status might be for
> non-listed CVEs.

It doesn't make sense to list *all* CVEs that don't apply to MariaDB.
Taking this to extremes - Apache CVEs and X.org CVEs don't apply to
MariaDB either, shall we list them too? :)

> ..wait, it does indeed have the section "CVE's affecting Oracle MySQL"
> at the very end. Can you please update it?

What about "All other CVE's from Oracle CPU <link> and earlier CPUs do
not affect MariaDB".

> The Debian security tracker
> https://security-tracker.debian.org/tracker/source-package/mariadb-10.0
> lists two CVEs as undetermined, can you say if CVE-2015-4737 and
> CVE-2015-2620 affect MariaDB 10.0 or not?

I can only guess.

CVE-2015-4737 seems to be Oracle Bug#20181776.  If it is, then yes, all
versions of MariaDB and MySQL (!) are affected. See MDEV-8269.

CVE-2015-2620 seems to be Oracle Bug#20754369 (Bug#20007583). It was
fixed in MariaDB 5.5.44 and MariaDB 10.0.20.  I've updated the security
page, thanks!

Regards,
Sergei