maria-discuss team mailing list archive
Mailing list archive
Re: Inclusion of Mysql security fixes in MariaDB
Thank you Sergei,
Looks like there is a release of MariaDB Galera Cluster 10.0.16 also on the
I imagine this will ship shortly after MariaDB 10.0.16?
On Mon, Jan 26, 2015 at 8:44 AM, Sergei Golubchik <serg@xxxxxxxxxxx> wrote:
> Hi, Raina!
> On Jan 23, Raina Masand wrote:
> > Hello,
> > We recently were informed of some security fixes in Mysql 5.5.41:
> > http://www.ubuntu.com/usn/usn-2480-1/ and are wondering whether there
> > plans to include these in an upcoming MariaDB release. Right now, we are
> > running 10.0.13, so we're trying to plan the next upgrade. We see that
> > there have been similar fixes included in MariaDB 10.0.14 and 10.0.15, so
> > this seems likely.
> > Based on this https://mariadb.com/kb/en/mariadb/development/security/
> > of CVE's, it looks like the MariaDB 10.0.15 and MariaDB 5.5.40 include
> > same security fixes (presumably pulled from Mysql 5.5.40). Can we expect
> > that the fixes from Mysql 5.5.41 will be included in an upcoming MariaDB
> > 10.0.16 release? Would appreciate any insight into the general schedule
> > addressing these vulnerabilities.
> Yes, I have updated the Security page to include these newly announced
> vulnerabilities. They are fixed in MariaDB-5.5.41 and MariaDB-10.0.16.
> Generally it works as follows:
> * Oracle discovers or learns about a security vulnerability in MySQL
> * Oracle doesn't tell anyone and secretly fixes it
> * Oracle releases a new - fixed - MySQL version
> * We (MariaDB) pull in MySQL changes and release a new MariaDB version
> - this usually takes few days (up to a week)
> * Oracle releases a CPU with very vague description of vulnerabilities
> * By that time a fixed MariaDB version is already released, I only need
> to add new CVE numbers to the Security page
> So, generally, when new vulnerabilities are publically announced,
> the latest MariaDB release already has them fixed. Even if Security
> page doesn't tell so.