Hi, Daniel! On Oct 26, Daniel Black wrote:
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs.
..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it?
Its probably a real pain to keep this list updated. Something like "we've checked CVE before and including (CVE-2015-4910) and only the CVEs listed above affect MariadDB" would be sufficient.
Right, thanks for the idea. I'm not sure CVE ids are published sequentially, though. It might be that Oracle assigns CVE ids when a issue is *discovered*, but, obviosuly, only publishes it when the issue is *fixed*, so even if they're assigned in order, they might be published out of order. I've suggested (in another mail in this thread) to use "from Oracle CPU <link> and all earlier CPUs". Regards, Sergei