Hi, Raina! On Jan 23, Raina Masand wrote:
Hello,
We recently were informed of some security fixes in Mysql 5.5.41: http://www.ubuntu.com/usn/usn-2480-1/ and are wondering whether there are plans to include these in an upcoming MariaDB release. Right now, we are running 10.0.13, so we're trying to plan the next upgrade. We see that there have been similar fixes included in MariaDB 10.0.14 and 10.0.15, so this seems likely.
Based on this https://mariadb.com/kb/en/mariadb/development/security/ list of CVE's, it looks like the MariaDB 10.0.15 and MariaDB 5.5.40 include the same security fixes (presumably pulled from Mysql 5.5.40). Can we expect that the fixes from Mysql 5.5.41 will be included in an upcoming MariaDB 10.0.16 release? Would appreciate any insight into the general schedule for addressing these vulnerabilities.
Yes, I have updated the Security page to include these newly announced vulnerabilities. They are fixed in MariaDB-5.5.41 and MariaDB-10.0.16. Generally it works as follows: * Oracle discovers or learns about a security vulnerability in MySQL * Oracle doesn't tell anyone and secretly fixes it * Oracle releases a new - fixed - MySQL version * We (MariaDB) pull in MySQL changes and release a new MariaDB version - this usually takes few days (up to a week) * Oracle releases a CPU with very vague description of vulnerabilities - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html * By that time a fixed MariaDB version is already released, I only need to add new CVE numbers to the Security page So, generally, when new vulnerabilities are publically announced, the latest MariaDB release already has them fixed. Even if Security page doesn't tell so. Regards, Sergei