Am 07.05.2015 um 23:45 schrieb Sergei Golubchik:
On May 07, Reindl Harald wrote:
and the Fedora 20 build is completly broken and crashs due "mysql_upgrade"
Yes, I've just fixed it. But too late for 10.0.18 :(
Your most simple workaround would be not to run mysql_upgrade. It wouldn't do anything noticeable when upgrading from 10.0.17 to 10.0.18 anyway
does that *really* only affect mysql_upgrade since a crash of mysqld itself and not mysql_upgrade is bad and i am not sure if some other query in production would not trigger the same problem?
No, it affects the server, not mysql_upgrade. But it's a new statement, that mysql_upgrade is using, no existing query can possibly trigger that bug
well, in other words anybody could crash the server by write a specific query and so i am not sure what is worser: the security bugs in 10.0.17 or that bug in 10.0.18 doesn't upstream run "mysql_upgrade" mandatory independent of changes? OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while there still was no answer to the mail below and so the state which of the mysql security bugs are also in mariadb is unknown -------- Weitergeleitete Nachricht -------- Betreff: [Maria-developers] Oracle April security notices and MariaDB Datum: Sun, 19 Apr 2015 21:55:19 +0300 Von: Otto Kekäläinen <otto@seravo.fi> An: maria-developers@lists.launchpad.net <maria-developers@lists.launchpad.net> Hello! Debian security team is pressing me on the information about which recent Oracle CVEs affect MariaDB and which not. They default to assuming all affect so we need to prove otherwise. The Debian CVE tracker: https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 None of these recent CVEs are listed at the MariaDB.org tracker: https://mariadb.com/kb/en/mariadb/security/ Could somebody please update the MariaDB.org CVE overview page?