Hi, Reindl! On May 07, Reindl Harald wrote:
No, it affects the server, not mysql_upgrade. But it's a new statement, that mysql_upgrade is using, no existing query can possibly trigger that bug
well, in other words anybody could crash the server by write a specific query and so i am not sure what is worser: the security bugs in 10.0.17 or that bug in 10.0.18
Right. We'll release 10.0.19 to fix that.
doesn't upstream run "mysql_upgrade" mandatory independent of changes?
No. Depends on what "upstream" is. Debian/Ubuntu do that, as far as I remember. RedHat/Fedora/CentoS - don't (again, as far as I remember).
OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while there still was no answer to the mail below and so the state which of the mysql security bugs are also in mariadb is unknown
I've updated MariaDB.org CVE overview page about a week ago. (note that email didn't request an answer, it requested the page to be updated) Regards, Sergei
-------- Weitergeleitete Nachricht -------- Betreff: [Maria-developers] Oracle April security notices and MariaDB Datum: Sun, 19 Apr 2015 21:55:19 +0300 Von: Otto Kekäläinen <otto@seravo.fi> An: maria-developers@lists.launchpad.net <maria-developers@lists.launchpad.net>
Hello!
Debian security team is pressing me on the information about which recent Oracle CVEs affect MariaDB and which not. They default to assuming all affect so we need to prove otherwise.
The Debian CVE tracker: https://security-tracker.debian.org/tracker/source-package/mariadb-10.0
None of these recent CVEs are listed at the MariaDB.org tracker: https://mariadb.com/kb/en/mariadb/security/
Could somebody please update the MariaDB.org CVE overview page?