← Back to team overview

maria-discuss team mailing list archive

Re: Latest round of Oracle CVE status on MariaDB


Hi, Brian!

Thanks. I've updated the security page now.
I think that CVE-2015-4757 is fixed in 5.5.43 (and 10.0.18), and
are fixed in 5.5.44 (and 10.0.20).

While I cannot be sure what CVE-2015-4737 and CVE-2015-2620 are about,
I suspect that the first is
https://github.com/mysql/mysql-server/commit/c655515d and the second is

If that's right, than the first is intentional behavior, not a bug.
I believe that changing it might break user applications (esp. backups).

The second isn't a fix it all, it only covers one very specific case.
I've created MDEV-8269 to have this bug properly fixed.


On Aug 13, Brian Evans wrote:
> The quarterly CVE list from oracle was published[1].
> The following CVEs are listed there affecting 5.5, but not listed on
> the MariaDB security page[2].
> CVE-2015-4757
> CVE-2015-4752
> CVE-2015-2648
> CVE-2015-2643
> CVE-2015-2582
> CVE-2015-4737
> CVE-2015-2620
> Are they fixed with 5.5.45 and 10.0.21, or any other version?
> Brian
> [1] http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL
> [2] https://mariadb.com/kb/en/mariadb/security/