← Back to team overview

maria-discuss team mailing list archive

Re: mariadb CVE


Hi, mingming1!

On May 05, mingming1 yu wrote:
> Hi Expert,
> I have a question how to identify a mariadb CVE issue.
> For example, per description of
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481, it only refers
> the mysql version which are affected, but not mention any info about
> mariadb. So I continue to find some clue at
> https://mariadb.com/kb/en/library/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb/,
> but there is no item about CVE-2019-2481. And then I continue to search
> some clues at "Full List of CVEs fixed in MariaDB" part of
> https://mariadb.com/kb/en/library/security/, and at this page there is a
> line as below:
> - CVE-2019-2481
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481>: MariaDB
> 5.5.37 <https://mariadb.com/kb/en/mariadb-5537-release-notes/>, MariaDB
> 10.0.11 <https://mariadb.com/kb/en/mariadb-10011-release-notes/>
> But I still don't know whether it affects Mariadb 10.3.13 or not.

Generally, you can assume that a CVE in any MariaDB version affects
versions (in other major releases too), that were released before the
fix date, and does not affect versions (in other major releases too)
that were released after the fix date.

In this particular case it does not affect 10.3.13. Because
according to https://mariadb.com/kb/en/mariadb-5537-release-notes
CVE-2019-2481 was fixed in 5.5.37, released on 17 Apr 2014.
And 10.3.13 was released on  21 Feb 2019.

Chief Architect MariaDB
and security@xxxxxxxxxxx