maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Reindl!

On May 07, Reindl Harald wrote:
> 
> > No, it affects the server, not mysql_upgrade. But it's a new
> > statement, that mysql_upgrade is using,  no existing query can
> > possibly trigger that bug
> 
> well, in other words anybody could crash the server by write a
> specific query and so i am not sure what is worser: the security bugs
> in 10.0.17 or that bug in 10.0.18

Right. We'll release 10.0.19 to fix that.

> doesn't upstream run "mysql_upgrade" mandatory independent of changes?

No. Depends on what "upstream" is. Debian/Ubuntu do that, as far as I
remember. RedHat/Fedora/CentoS - don't (again, as far as I remember).

> OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while 
> there still was no answer to the mail below and so the state which of 
> the mysql security bugs are also in mariadb is unknown

I've updated MariaDB.org CVE overview page about a week ago.
(note that email didn't request an answer, it requested the page to be
updated)

Regards,
Sergei

> -------- Weitergeleitete Nachricht --------
> Betreff: [Maria-developers] Oracle April security notices and MariaDB
> Datum: Sun, 19 Apr 2015 21:55:19 +0300
> Von: Otto Kekäläinen <otto@xxxxxxxxx>
> An: maria-developers@xxxxxxxxxxxxxxxxxxx 
> <maria-developers@xxxxxxxxxxxxxxxxxxx>
> 
> Hello!
> 
> Debian security team is pressing me on the information about which
> recent Oracle CVEs affect MariaDB and which not. They default to
> assuming all affect so we need to prove otherwise.
> 
> The Debian CVE tracker:
> https://security-tracker.debian.org/tracker/source-package/mariadb-10.0
> 
> None of these recent CVEs are listed at the MariaDB.org tracker:
> https://mariadb.com/kb/en/mariadb/security/
> 
> Could somebody please update the MariaDB.org CVE overview page?