maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Raina!

On Jan 23, Raina Masand wrote:
> Hello,
> 
> We recently were informed of some security fixes in Mysql 5.5.41:
> http://www.ubuntu.com/usn/usn-2480-1/ and are wondering whether there are
> plans to include these in an upcoming MariaDB release.  Right now, we are
> running 10.0.13, so we're trying to plan the next upgrade. We see that
> there have been similar fixes included in MariaDB 10.0.14 and 10.0.15, so
> this seems likely.
> 
> Based on this https://mariadb.com/kb/en/mariadb/development/security/ list
> of CVE's, it looks like the MariaDB 10.0.15 and MariaDB 5.5.40 include the
> same security fixes (presumably pulled from Mysql 5.5.40). Can we expect
> that the fixes from Mysql 5.5.41 will be included in an upcoming MariaDB
> 10.0.16 release? Would appreciate any insight into the general schedule for
> addressing these vulnerabilities.

Yes, I have updated the Security page to include these newly announced
vulnerabilities. They are fixed in MariaDB-5.5.41 and MariaDB-10.0.16.

Generally it works as follows:
* Oracle discovers or learns about a security vulnerability in MySQL
* Oracle doesn't tell anyone and secretly fixes it
* Oracle releases a new - fixed - MySQL version
* We (MariaDB) pull in MySQL changes and release a new MariaDB version
  - this usually takes few days (up to a week)
* Oracle releases a CPU with very vague description of vulnerabilities
  - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
* By that time a fixed MariaDB version is already released, I only need
  to add new CVE numbers to the Security page

So, generally, when new vulnerabilities are publically announced,
the latest MariaDB release already has them fixed. Even if Security
page doesn't tell so.

Regards,
Sergei