Hi, mingming1! On May 05, mingming1 yu wrote:

Hi Expert,

I have a question how to identify a mariadb CVE issue.

For example, per description of http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481, it only refers the mysql version which are affected, but not mention any info about mariadb. So I continue to find some clue at https://mariadb.com/kb/en/library/security-vulnerabilities-in-oracle-mysql-t..., but there is no item about CVE-2019-2481. And then I continue to search some clues at "Full List of CVEs fixed in MariaDB" part of https://mariadb.com/kb/en/library/security/, and at this page there is a line as below: - CVE-2019-2481 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481>: MariaDB 5.5.37 <https://mariadb.com/kb/en/mariadb-5537-release-notes/>, MariaDB 10.0.11 <https://mariadb.com/kb/en/mariadb-10011-release-notes/>

But I still don't know whether it affects Mariadb 10.3.13 or not.

Generally, you can assume that a CVE in any MariaDB version affects versions (in other major releases too), that were released before the fix date, and does not affect versions (in other major releases too) that were released after the fix date. In this particular case it does not affect 10.3.13. Because according to https://mariadb.com/kb/en/mariadb-5537-release-notes CVE-2019-2481 was fixed in 5.5.37, released on 17 Apr 2014. And 10.3.13 was released on 21 Feb 2019. Regards, Sergei Chief Architect MariaDB and security@mariadb.org