Hi, Otto! On Oct 25, Otto Kekäläinen wrote:
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs.
It doesn't make sense to list *all* CVEs that don't apply to MariaDB. Taking this to extremes - Apache CVEs and X.org CVEs don't apply to MariaDB either, shall we list them too? :)
..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it?
What about "All other CVE's from Oracle CPU <link> and earlier CPUs do not affect MariaDB".
The Debian security tracker https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 lists two CVEs as undetermined, can you say if CVE-2015-4737 and CVE-2015-2620 affect MariaDB 10.0 or not?
I can only guess. CVE-2015-4737 seems to be Oracle Bug#20181776. If it is, then yes, all versions of MariaDB and MySQL (!) are affected. See MDEV-8269. CVE-2015-2620 seems to be Oracle Bug#20754369 (Bug#20007583). It was fixed in MariaDB 5.5.44 and MariaDB 10.0.20. I've updated the security page, thanks! Regards, Sergei