maria-discuss team mailing list archive

Thread
Date

Re: MariaDB 10.0.18 now available

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: Reindl Harald <h.reindl@xxxxxxxxxxxxx>
Date: Thu, 07 May 2015 23:54:21 +0200
In-reply-to: <20150507214536.GA19708@meddwl.fritz.box>
Openpgp: id=13540402D67A7F71C6E974EA866063CF7F780279; url=https://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Organization: the lounge interactive design
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0


Am 07.05.2015 um 23:45 schrieb Sergei Golubchik:

On May 07, Reindl Harald wrote:

and the Fedora 20 build is completly broken and crashs due "mysql_upgrade"


Yes, I've just fixed it. But too late for 10.0.18 :(

Your most simple workaround would be not to run mysql_upgrade. It
wouldn't do anything noticeable when upgrading from 10.0.17 to 10.0.18
anyway


does that *really* only affect mysql_upgrade since a crash of mysqld
itself and not mysql_upgrade is bad and i am not sure if some other
query in production would not trigger the same problem?


No, it affects the server, not mysql_upgrade. But it's a new statement,
that mysql_upgrade is using,  no existing query can possibly trigger
that bug

well, in other words anybody could crash the server by write a specificquery and so i am not sure what is worser: the security bugs in 10.0.17or that bug in 10.0.18


doesn't upstream run "mysql_upgrade" mandatory independent of changes?

OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 whilethere still was no answer to the mail below and so the state which ofthe mysql security bugs are also in mariadb is unknown


-------- Weitergeleitete Nachricht --------
Betreff: [Maria-developers] Oracle April security notices and MariaDB
Datum: Sun, 19 Apr 2015 21:55:19 +0300
Von: Otto Kekäläinen <otto@xxxxxxxxx>

An: maria-developers@xxxxxxxxxxxxxxxxxxx<maria-developers@xxxxxxxxxxxxxxxxxxx>


Hello!

Debian security team is pressing me on the information about which
recent Oracle CVEs affect MariaDB and which not. They default to
assuming all affect so we need to prove otherwise.

The Debian CVE tracker:
https://security-tracker.debian.org/tracker/source-package/mariadb-10.0

None of these recent CVEs are listed at the MariaDB.org tracker:
https://mariadb.com/kb/en/mariadb/security/

Could somebody please update the MariaDB.org CVE overview page?

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: MariaDB 10.0.18 now available
From: Sergei Golubchik, 2015-05-08

References

MariaDB 10.0.18 now available
From: Daniel Bartholomew, 2015-05-07
Re: MariaDB 10.0.18 now available
From: Reindl Harald, 2015-05-07
Re: MariaDB 10.0.18 now available
From: Reindl Harald, 2015-05-07
Re: MariaDB 10.0.18 now available
From: Sergei Golubchik, 2015-05-07
Re: MariaDB 10.0.18 now available
From: Reindl Harald, 2015-05-07
Re: MariaDB 10.0.18 now available
From: Sergei Golubchik, 2015-05-07