← Back to team overview

maria-developers team mailing list archive

Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?


Hi, Daniel!

On Oct 26, Daniel Black wrote:
> > It would be nice if the page
> > https://mariadb.com/kb/en/mariadb/security/ also had a section that
> > was explicit about that Oracle CVEs do _not_ affect MariaDB, because I
> > am sure many people wonder on how what the status might be for
> > non-listed CVEs.
> > 
> > ..wait, it does indeed have the section "CVE's affecting Oracle MySQL"
> > at the very end. Can you please update it?
> Its probably a real pain to keep this list updated. Something like
> "we've checked CVE before and including (CVE-2015-4910) and only the
> CVEs listed above affect MariadDB"  would be sufficient.

Right, thanks for the idea. I'm not sure CVE ids are published
sequentially, though.  It might be that Oracle assigns CVE ids when a
issue is *discovered*, but, obviosuly, only publishes it when the issue
is *fixed*, so even if they're assigned in order, they might be
published out of order. I've suggested (in another mail in this thread)
to use "from Oracle CPU <link> and all earlier CPUs".