Am 08.05.2015 um 12:06 schrieb Sergei Golubchik:
Hi, Reindl!
On May 07, Reindl Harald wrote:
No, it affects the server, not mysql_upgrade. But it's a new statement, that mysql_upgrade is using, no existing query can possibly trigger that bug
well, in other words anybody could crash the server by write a specific query and so i am not sure what is worser: the security bugs in 10.0.17 or that bug in 10.0.18
Right. We'll release 10.0.19 to fix that.
thanks
doesn't upstream run "mysql_upgrade" mandatory independent of changes?
No. Depends on what "upstream" is. Debian/Ubuntu do that, as far as I remember. RedHat/Fedora/CentoS - don't (again, as far as I remember).
upstream for me as packager at my own infrastrcuture is mariadb developers itself - in other words: sounds like a completly untested change
OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while there still was no answer to the mail below and so the state which of the mysql security bugs are also in mariadb is unknown
I've updated MariaDB.org CVE overview page about a week ago. (note that email didn't request an answer, it requested the page to be updated)
well, without a reply one needs to check the page every day if there is an update :-)