maria-docs team mailing list archive

Thread
Date

Re: CVE list for connectors

To: Michal Schorm <mschorm@xxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Tue, 21 Aug 2018 19:19:09 +0200
Cc: mariadb-discuss@xxxxxxxxxxxxxxxxxxx, maria-docs@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CALC7GWxuURqAzwU_iSiDo3kP0c17rXzKp05citMqSkvNft+gGw@mail.gmail.com>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Michal!

On Aug 21, Michal Schorm wrote:
> Hello,
> 
> On this page: https://mariadb.com/kb/en/library/security/
> I can find CVEs that affect MariaDB server and releases they were fixed in.
> 
> Other useful page is this one:
> https://mariadb.com/kb/en/library/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb/
> 
> --
> 
> I'd like to ask you to also list CVEs applicable for connectors and
> versions of connectors (CONC, CONJ, ODBC) they were fixed in, since there
> is not direct relationship between:
>  1) server nad CONC
>  2) ODBC and CONC
> Server is (or atleast should be) built on top of released version of
> the CONC, not the latest Git content.

Yes, absolutely. We're not quite there yet, but moving there.

> Atleast downstreams starts to use this scheme (separate server and
> client library - the CONC), so they depend only on the released
> versions of the CONC.
> 
> For example CVE-2018-3081 should be fixed in CONC 3.0.5, however since
> nor git commit, nor CONC release notes says it explicitly, I can only
> guess.

You're right, it is fixed in CONC 3.0.5, I've updated release noted.

It's not shown on the https://mariadb.com/kb/en/security/ page yet
because that page is generated from release notes, automatically picking
up the correct server version, and this code doesn't support Connector/C
yet. I've reported a bug, so it should be fixed soon, I assume.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

Follow ups

Re: CVE list for connectors
From: Michal Schorm, 2018-08-22

References

CVE list for connectors
From: Michal Schorm, 2018-08-21