[Maria-developers] Several CVE's in Oracle MySQL, is MariaDB vulnerable?
Hello everyone, Sorry when I am on the wrong mailinglist. I wanted to submit a bugreport or issue for this but I can't signup for your JIRA because of license reasons. I am from the Archlinux-Security Team and want to ask if mariadb in the actual version is vulnerable to the following CVEs: CVE-2015-4913 CVE-2015-4910 CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4890 CVE-2015-4879 CVE-2015-4870 CVE-2015-4862 CVE-2015-4864 CVE-2015-4861 CVE-2015-4858 CVE-2015-4836 CVE-2015-4833 CVE-2015-4830 CVE-2015-4826 CVE-2015-4819 CVE-2015-4815 CVE-2015-4807 CVE-2015-4802 CVE-2015-4800 CVE-2015-4792 CVE-2015-4791 CVE-2015-4766 I hope you can help me. Best regards -------------------------------------------------------------- Christian Rebischke Member of Archlinux CVE-Monitoring Team Website : www.nullday.de Twitter : @sh1bumi Jabber : shibumi@jabber.ccc.de PGP : 0xDFE2060D Fingerprint: 6DAF 7B80 8F9D F251 3962 0000 D214 61E3 DFE2 060D --------------------------------------------------------------
----- On 24 Oct, 2015, at 3:47 AM, Christian Rebischke chris.rebischke@gmail.com wrote:
Hello everyone, Sorry when I am on the wrong mailinglist. I wanted to submit a bugreport or issue for this but I can't signup for your JIRA because of license reasons.
Keen to know which conditions where a problem. May affect other people.
I am from the Archlinux-Security Team and want to ask if mariadb in the actual version is vulnerable to the following CVEs:
CVE-2015-4913 CVE-2015-4910 CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4890 CVE-2015-4879 CVE-2015-4870 CVE-2015-4862 CVE-2015-4864 CVE-2015-4861 CVE-2015-4858 CVE-2015-4836 CVE-2015-4833 CVE-2015-4830 CVE-2015-4826 CVE-2015-4819 CVE-2015-4815 CVE-2015-4807 CVE-2015-4802 CVE-2015-4800 CVE-2015-4792 CVE-2015-4791 CVE-2015-4766
I hope you can help me.
Of course, listed here: https://mariadb.com/kb/en/mariadb/security/ Its only got the fixed versions rather than which versions vulnerabilities where introduced. Is this sufficient? -- Daniel Black, Engineer @ Open Query (http://openquery.com.au) Remote expertise & maintenance for MySQL/MariaDB server environments.
Hi, Daniel! On Oct 24, Daniel Black wrote:
Hello everyone, Sorry when I am on the wrong mailinglist. I wanted to submit a bugreport or issue for this but I can't signup for your JIRA because of license reasons.
Keen to know which conditions where a problem. May affect other people.
I've just found out. It turned out that we're run out of accounts (our Jira license has a limit on that). I've deactivated accounts that were created during our launchpad->jira migration (they weren't real users anyway), so registration should work again for a while. Meanwhile we'll fix the license.
I am from the Archlinux-Security Team and want to ask if mariadb in the actual version is vulnerable to the following CVEs:
CVE-2015-4913 CVE-2015-4910 CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4890 CVE-2015-4879 CVE-2015-4870 CVE-2015-4862 CVE-2015-4864 CVE-2015-4861 CVE-2015-4858 CVE-2015-4836 CVE-2015-4833 CVE-2015-4830 CVE-2015-4826 CVE-2015-4819 CVE-2015-4815 CVE-2015-4807 CVE-2015-4802 CVE-2015-4800 CVE-2015-4792 CVE-2015-4791 CVE-2015-4766
I hope you can help me.
Of course, listed here:
I've just added them after this Archlinux email :) Oracle has released a new critical patch update - so these CVEs were made public very recently. Regards, Sergei
On Fri, Oct 23, 2015 at 10:15:13PM +0200, Sergei Golubchik wrote:
I've just found out. It turned out that we're run out of accounts (our Jira license has a limit on that). I've deactivated accounts that were created during our launchpad->jira migration (they weren't real users anyway), so registration should work again for a while.
Meanwhile we'll fix the license.
Yep I can confirm this problem. That was the problem that stops me setting up a bugreport/issue request.
I am from the Archlinux-Security Team and want to ask if mariadb in the actual version is vulnerable to the following CVEs:
CVE-2015-4913 CVE-2015-4910 CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4890 CVE-2015-4879 CVE-2015-4870 CVE-2015-4862 CVE-2015-4864 CVE-2015-4861 CVE-2015-4858 CVE-2015-4836 CVE-2015-4833 CVE-2015-4830 CVE-2015-4826 CVE-2015-4819 CVE-2015-4815 CVE-2015-4807 CVE-2015-4802 CVE-2015-4800 CVE-2015-4792 CVE-2015-4791 CVE-2015-4766
I hope you can help me.
Of course, listed here:
Thx for your List :-) Nice work with mariadb guys! Thats all from me. -------------------------------------------------------------- Christian Rebischke Member of Archlinux CVE-Monitoring Team Website : www.nullday.de Twitter : @sh1bumi Jabber : shibumi@jabber.ccc.de PGP : 0xDFE2060D Fingerprint: 6DAF 7B80 8F9D F251 3962 0000 D214 61E3 DFE2 060D --------------------------------------------------------------
Hello, Sorry for disturbing again. On your security page https://mariadb.com/kb/en/mariadb/security/ are the following CVE's missing: CVE-2015-4910 CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4862 CVE-2015-4833 CVE-2015-4800 CVE-2015-4791 CVE-2015-4766 I am not sure if mariadb is affected by them or not. Would be awesome if you could add them at the right section :-) Thats definitly all now. best regards -------------------------------------------------------------- Christian Rebischke Member of Archlinux CVE-Monitoring Team Website : www.nullday.de Twitter : @sh1bumi Jabber : shibumi@jabber.ccc.de PGP : 0xDFE2060D Fingerprint: 6DAF 7B80 8F9D F251 3962 0000 D214 61E3 DFE2 060D --------------------------------------------------------------
Hi, Christian! On Oct 25, Christian Rebischke wrote:
Hello, Sorry for disturbing again. On your security page https://mariadb.com/kb/en/mariadb/security/ are the following CVE's missing: ... I am not sure if mariadb is affected by them or not. Would be awesome if you could add them at the right section :-)
Not affected, that's why they aren't listed. The security page lists all CVEs that affected MariaDB and the version when they were fixed. CVEs that never affected us are not listed.
CVE-2015-4910
It's for memcached plugin, we don't have it.
CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4862 CVE-2015-4833 CVE-2015-4800 CVE-2015-4791 CVE-2015-4766
They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5 was the last version when we merged everything from MySQL. That is, MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and Performance Schema from 5.6. Regards, Sergei security@mariadb.org
Hello Serg! 2015-10-25 20:38 GMT+02:00 Sergei Golubchik <serg@mariadb.org>:
On Oct 25, Christian Rebischke wrote:
Hello, Sorry for disturbing again. On your security page https://mariadb.com/kb/en/mariadb/security/ are the following CVE's missing: ... I am not sure if mariadb is affected by them or not. Would be awesome if you could add them at the right section :-)
Not affected, that's why they aren't listed. The security page lists all CVEs that affected MariaDB and the version when they were fixed. CVEs that never affected us are not listed.
CVE-2015-4910
It's for memcached plugin, we don't have it.
CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4862 CVE-2015-4833 CVE-2015-4800 CVE-2015-4791 CVE-2015-4766
They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5 was the last version when we merged everything from MySQL. That is, MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and Performance Schema from 5.6.
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs. ..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it? . The Debian security tracker https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 lists two CVEs as undetermined, can you say if CVE-2015-4737 and CVE-2015-2620 affect MariaDB 10.0 or not? - Otto
----- On 26 Oct, 2015, at 6:00 AM, Otto Kekäläinen otto@seravo.fi wrote:
Hello Serg!
2015-10-25 20:38 GMT+02:00 Sergei Golubchik <serg@mariadb.org>: ...
They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5 was the last version when we merged everything from MySQL. That is, MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and Performance Schema from 5.6.
Good summary info.
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs.
..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it?
Its probably a real pain to keep this list updated. Something like "we've checked CVE before and including (CVE-2015-4910) and only the CVEs listed above affect MariadDB" would be sufficient. -- Daniel Black, Engineer @ Open Query (http://openquery.com.au) Remote expertise & maintenance for MySQL/MariaDB server environments.
Hi, Daniel! On Oct 26, Daniel Black wrote:
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs.
..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it?
Its probably a real pain to keep this list updated. Something like "we've checked CVE before and including (CVE-2015-4910) and only the CVEs listed above affect MariadDB" would be sufficient.
Right, thanks for the idea. I'm not sure CVE ids are published sequentially, though. It might be that Oracle assigns CVE ids when a issue is *discovered*, but, obviosuly, only publishes it when the issue is *fixed*, so even if they're assigned in order, they might be published out of order. I've suggested (in another mail in this thread) to use "from Oracle CPU <link> and all earlier CPUs". Regards, Sergei
Hi, Otto! On Oct 25, Otto Kekäläinen wrote:
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs.
It doesn't make sense to list *all* CVEs that don't apply to MariaDB. Taking this to extremes - Apache CVEs and X.org CVEs don't apply to MariaDB either, shall we list them too? :)
..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it?
What about "All other CVE's from Oracle CPU <link> and earlier CPUs do not affect MariaDB".
The Debian security tracker https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 lists two CVEs as undetermined, can you say if CVE-2015-4737 and CVE-2015-2620 affect MariaDB 10.0 or not?
I can only guess. CVE-2015-4737 seems to be Oracle Bug#20181776. If it is, then yes, all versions of MariaDB and MySQL (!) are affected. See MDEV-8269. CVE-2015-2620 seems to be Oracle Bug#20754369 (Bug#20007583). It was fixed in MariaDB 5.5.44 and MariaDB 10.0.20. I've updated the security page, thanks! Regards, Sergei
2015-10-26 11:35 GMT+02:00 Sergei Golubchik <serg@mariadb.org>:
What about "All other CVE's from Oracle CPU <link> and earlier CPUs do not affect MariaDB".
I think this would be explicit enough, so that people can deduct what Oracle CVEs apply and what not, and what has not been checked yet. -- Check out our blog at http://seravo.fi/blog and follow @ottokekalainen
Hi, Otto! On Oct 26, Otto Kekäläinen wrote:
2015-10-26 11:35 GMT+02:00 Sergei Golubchik <serg@mariadb.org>:
What about "All other CVE's from Oracle CPU <link> and earlier CPUs do not affect MariaDB".
I think this would be explicit enough, so that people can deduct what Oracle CVEs apply and what not, and what has not been checked yet.
Yes, good that we agree on that. As my suggested wording is explicit enough, I'm adding to the KB, thanks! Regards, Sergei
2015-10-26 11:35 GMT+02:00 Sergei Golubchik <serg@mariadb.org>:
The Debian security tracker https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 lists two CVEs as undetermined, can you say if CVE-2015-4737 and CVE-2015-2620 affect MariaDB 10.0 or not?
I can only guess.
CVE-2015-4737 seems to be Oracle Bug#20181776. If it is, then yes, all versions of MariaDB and MySQL (!) are affected. See MDEV-8269.
This CVE is fixed in MySQL 5.6 according to https://security-tracker.debian.org/tracker/CVE-2015-4737
Hi, Otto! On Oct 26, Otto Kekäläinen wrote:
2015-10-26 11:35 GMT+02:00 Sergei Golubchik <serg@mariadb.org>:
The Debian security tracker https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 lists two CVEs as undetermined, can you say if CVE-2015-4737 and CVE-2015-2620 affect MariaDB 10.0 or not?
I can only guess.
CVE-2015-4737 seems to be Oracle Bug#20181776. If it is, then yes, all versions of MariaDB and MySQL (!) are affected. See MDEV-8269.
This CVE is fixed in MySQL 5.6 according to https://security-tracker.debian.org/tracker/CVE-2015-4737
I know. Oracle CPU from July 2015 lists it as fixed. But that commit fixes only one specific use case. There is no complete solution for Bug#20181776 either in MySQL or in MariaDB. Again, please see MDEV-8269. Disclaimer: CVE-2015-4737 may be not Bug#20181776 at all. Regards, Sergei
participants (4)
-
Christian Rebischke -
Daniel Black -
Otto Kekäläinen -
Sergei Golubchik