maria-discuss team mailing list archive

Thread
Date

Re: mariadb CVE

To: mingming1 yu <yu.mingming1106@xxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Sun, 5 May 2019 23:07:45 +0200
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAEYv=mn+sXV8N4_QWBy6tXxuuytPWLZakXweJUU1ZT7J=Kam5A@mail.gmail.com>
User-agent: Mutt/1.10.1 (2018-07-13)

Hi, mingming1!

On May 05, mingming1 yu wrote:
> Hi Expert,
> 
> I have a question how to identify a mariadb CVE issue.
> 
> For example, per description of
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481, it only refers
> the mysql version which are affected, but not mention any info about
> mariadb. So I continue to find some clue at
> https://mariadb.com/kb/en/library/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb/,
> but there is no item about CVE-2019-2481. And then I continue to search
> some clues at "Full List of CVEs fixed in MariaDB" part of
> https://mariadb.com/kb/en/library/security/, and at this page there is a
> line as below:
> - CVE-2019-2481
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481>: MariaDB
> 5.5.37 <https://mariadb.com/kb/en/mariadb-5537-release-notes/>, MariaDB
> 10.0.11 <https://mariadb.com/kb/en/mariadb-10011-release-notes/>
> 
> But I still don't know whether it affects Mariadb 10.3.13 or not.

Generally, you can assume that a CVE in any MariaDB version affects
versions (in other major releases too), that were released before the
fix date, and does not affect versions (in other major releases too)
that were released after the fix date.

In this particular case it does not affect 10.3.13. Because
according to https://mariadb.com/kb/en/mariadb-5537-release-notes
CVE-2019-2481 was fixed in 5.5.37, released on 17 Apr 2014.
And 10.3.13 was released on  21 Feb 2019.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

mariadb CVE
From: mingming1 yu, 2019-05-05