← Back to team overview

maria-discuss team mailing list archive

Re: MariaDB 10.0.18 now available

 



Am 08.05.2015 um 12:06 schrieb Sergei Golubchik:
Hi, Reindl!

On May 07, Reindl Harald wrote:

No, it affects the server, not mysql_upgrade. But it's a new
statement, that mysql_upgrade is using,  no existing query can
possibly trigger that bug

well, in other words anybody could crash the server by write a
specific query and so i am not sure what is worser: the security bugs
in 10.0.17 or that bug in 10.0.18

Right. We'll release 10.0.19 to fix that.

thanks

doesn't upstream run "mysql_upgrade" mandatory independent of changes?

No. Depends on what "upstream" is. Debian/Ubuntu do that, as far as I
remember. RedHat/Fedora/CentoS - don't (again, as far as I remember).

upstream for me as packager at my own infrastrcuture is mariadb developers itself - in other words: sounds like a completly untested change

OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while
there still was no answer to the mail below and so the state which of
the mysql security bugs are also in mariadb is unknown

I've updated MariaDB.org CVE overview page about a week ago.
(note that email didn't request an answer, it requested the page to be
updated)

well, without a reply one needs to check the page every day if there is an update :-)

Attachment: signature.asc
Description: OpenPGP digital signature


References