← Back to team overview

maria-discuss team mailing list archive

Re: MariaDB 10.0.18 now available


Am 07.05.2015 um 23:45 schrieb Sergei Golubchik:
On May 07, Reindl Harald wrote:
and the Fedora 20 build is completly broken and crashs due "mysql_upgrade"

Yes, I've just fixed it. But too late for 10.0.18 :(

Your most simple workaround would be not to run mysql_upgrade. It
wouldn't do anything noticeable when upgrading from 10.0.17 to 10.0.18

does that *really* only affect mysql_upgrade since a crash of mysqld
itself and not mysql_upgrade is bad and i am not sure if some other
query in production would not trigger the same problem?

No, it affects the server, not mysql_upgrade. But it's a new statement,
that mysql_upgrade is using,  no existing query can possibly trigger
that bug

well, in other words anybody could crash the server by write a specific query and so i am not sure what is worser: the security bugs in 10.0.17 or that bug in 10.0.18

doesn't upstream run "mysql_upgrade" mandatory independent of changes?

OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while there still was no answer to the mail below and so the state which of the mysql security bugs are also in mariadb is unknown

-------- Weitergeleitete Nachricht --------
Betreff: [Maria-developers] Oracle April security notices and MariaDB
Datum: Sun, 19 Apr 2015 21:55:19 +0300
Von: Otto Kekäläinen <otto@xxxxxxxxx>
An: maria-developers@xxxxxxxxxxxxxxxxxxx <maria-developers@xxxxxxxxxxxxxxxxxxx>


Debian security team is pressing me on the information about which
recent Oracle CVEs affect MariaDB and which not. They default to
assuming all affect so we need to prove otherwise.

The Debian CVE tracker:

None of these recent CVEs are listed at the MariaDB.org tracker:

Could somebody please update the MariaDB.org CVE overview page?

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups