← Back to team overview

maria-developers team mailing list archive

Re: Several CVE's in Oracle MySQL, is MariaDB vulnerable?


Hi, Otto!

On Oct 26, Otto Kekäläinen wrote:
> 2015-10-26 11:35 GMT+02:00 Sergei Golubchik <serg@xxxxxxxxxxx>:
> >> The Debian security tracker
> >> https://security-tracker.debian.org/tracker/source-package/mariadb-10.0
> >> lists two CVEs as undetermined, can you say if CVE-2015-4737 and
> >> CVE-2015-2620 affect MariaDB 10.0 or not?
> >
> > I can only guess.
> >
> > CVE-2015-4737 seems to be Oracle Bug#20181776.  If it is, then yes, all
> > versions of MariaDB and MySQL (!) are affected. See MDEV-8269.
> This CVE is fixed in MySQL 5.6 according to
> https://security-tracker.debian.org/tracker/CVE-2015-4737

I know. Oracle CPU from July 2015 lists it as fixed.
But that commit fixes only one specific use case.
There is no complete solution for Bug#20181776 either in MySQL or in
MariaDB. Again, please see MDEV-8269.

Disclaimer: CVE-2015-4737 may be not Bug#20181776 at all.