maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Peter!

On Apr 10, Peter Laursen wrote:
> What about this
> http://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be-vulnerable-to-heartbleed(MariaDB
> 5.5.36 is listed).
> 
> And what about the C-API?

MariaDB 5.5.36 is vulnerable when it is built with system OpenSSL and
system OpenSSL is vulnerable. Just as any executable, linked with
OpenSSL.

The fix is to upgrade system OpenSSL. That's why we prefer to link with
system dynamic libraries, not with bundled static ones.

Regards,
Sergei