maria-discuss team mailing list archive
Mailing list archive
Re: MariaDB 10.0.18 now available
Am 08.05.2015 um 12:06 schrieb Sergei Golubchik:
On May 07, Reindl Harald wrote:
No, it affects the server, not mysql_upgrade. But it's a new
statement, that mysql_upgrade is using, no existing query can
possibly trigger that bug
well, in other words anybody could crash the server by write a
specific query and so i am not sure what is worser: the security bugs
in 10.0.17 or that bug in 10.0.18
Right. We'll release 10.0.19 to fix that.
doesn't upstream run "mysql_upgrade" mandatory independent of changes?
No. Depends on what "upstream" is. Debian/Ubuntu do that, as far as I
remember. RedHat/Fedora/CentoS - don't (again, as far as I remember).
upstream for me as packager at my own infrastrcuture is mariadb
developers itself - in other words: sounds like a completly untested change
OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while
there still was no answer to the mail below and so the state which of
the mysql security bugs are also in mariadb is unknown
I've updated MariaDB.org CVE overview page about a week ago.
(note that email didn't request an answer, it requested the page to be
well, without a reply one needs to check the page every day if there is
an update :-)
Description: OpenPGP digital signature