maria-discuss team mailing list archive

Thread
Date

Re: Latest round of Oracle CVE status on MariaDB

To: Brian Evans <grknight@xxxxxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Thu, 13 Aug 2015 21:54:37 +0200
Cc: MariaDB discuss <maria-discuss@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <55CCEB69.1060004@scent-team.com>
User-agent: Mutt/1.5.23 (2014-03-12)

Hi, Brian!

Thanks. I've updated the security page now.
I think that CVE-2015-4757 is fixed in 5.5.43 (and 10.0.18), and
  CVE-2015-4752
  CVE-2015-2648
  CVE-2015-2643 
  CVE-2015-2582
are fixed in 5.5.44 (and 10.0.20).

While I cannot be sure what CVE-2015-4737 and CVE-2015-2620 are about,
I suspect that the first is
https://github.com/mysql/mysql-server/commit/c655515d and the second is
https://github.com/mysql/mysql-server/commit/fdae90dd.

If that's right, than the first is intentional behavior, not a bug.
I believe that changing it might break user applications (esp. backups).

The second isn't a fix it all, it only covers one very specific case.
I've created MDEV-8269 to have this bug properly fixed.

Regards,
Sergei

On Aug 13, Brian Evans wrote:
> The quarterly CVE list from oracle was published[1].
> The following CVEs are listed there affecting 5.5, but not listed on
> the MariaDB security page[2].
> 
> CVE-2015-4757
> CVE-2015-4752
> CVE-2015-2648
> CVE-2015-2643
> CVE-2015-2582
> CVE-2015-4737
> CVE-2015-2620
> 
> Are they fixed with 5.5.45 and 10.0.21, or any other version?
> 
> Brian
> 
> [1] http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL
> [2] https://mariadb.com/kb/en/mariadb/security/
>

References

Latest round of Oracle CVE status on MariaDB
From: Brian Evans, 2015-08-13