← Back to team overview

maria-discuss team mailing list archive

Re: Inclusion of Mysql security fixes in MariaDB

 

Thank you Sergei,

Looks like there is a release of MariaDB Galera Cluster 10.0.16 also on the
way.

https://mariadb.atlassian.net/browse/MDEV/fixforversion/18101/?selectedTab=com.atlassian.jira.jira-projects-plugin:version-summary-panel

I imagine this will ship shortly after MariaDB 10.0.16?

Best,
Shannon Coen

On Mon, Jan 26, 2015 at 8:44 AM, Sergei Golubchik <serg@xxxxxxxxxxx> wrote:

> Hi, Raina!
>
> On Jan 23, Raina Masand wrote:
> > Hello,
> >
> > We recently were informed of some security fixes in Mysql 5.5.41:
> > http://www.ubuntu.com/usn/usn-2480-1/ and are wondering whether there
> are
> > plans to include these in an upcoming MariaDB release.  Right now, we are
> > running 10.0.13, so we're trying to plan the next upgrade. We see that
> > there have been similar fixes included in MariaDB 10.0.14 and 10.0.15, so
> > this seems likely.
> >
> > Based on this https://mariadb.com/kb/en/mariadb/development/security/
> list
> > of CVE's, it looks like the MariaDB 10.0.15 and MariaDB 5.5.40 include
> the
> > same security fixes (presumably pulled from Mysql 5.5.40). Can we expect
> > that the fixes from Mysql 5.5.41 will be included in an upcoming MariaDB
> > 10.0.16 release? Would appreciate any insight into the general schedule
> for
> > addressing these vulnerabilities.
>
> Yes, I have updated the Security page to include these newly announced
> vulnerabilities. They are fixed in MariaDB-5.5.41 and MariaDB-10.0.16.
>
> Generally it works as follows:
> * Oracle discovers or learns about a security vulnerability in MySQL
> * Oracle doesn't tell anyone and secretly fixes it
> * Oracle releases a new - fixed - MySQL version
> * We (MariaDB) pull in MySQL changes and release a new MariaDB version
>   - this usually takes few days (up to a week)
> * Oracle releases a CPU with very vague description of vulnerabilities
>   -
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> * By that time a fixed MariaDB version is already released, I only need
>   to add new CVE numbers to the Security page
>
> So, generally, when new vulnerabilities are publically announced,
> the latest MariaDB release already has them fixed. Even if Security
> page doesn't tell so.
>
> Regards,
> Sergei
>
>

Follow ups

References