Hello Serg! 2015-10-25 20:38 GMT+02:00 Sergei Golubchik <[email protected]>: > On Oct 25, Christian Rebischke wrote: >> Hello, >> Sorry for disturbing again. On your security page >> https://mariadb.com/kb/en/mariadb/security/ are the following CVE's >> missing: > ... >> I am not sure if mariadb is affected by them or not. Would be awesome >> if you could add them at the right section :-) > > Not affected, that's why they aren't listed. The security page lists all > CVEs that affected MariaDB and the version when they were fixed. CVEs > that never affected us are not listed. > >> CVE-2015-4910 > > It's for memcached plugin, we don't have it. > >> CVE-2015-4905 >> CVE-2015-4904 >> CVE-2015-4895 >> CVE-2015-4862 >> CVE-2015-4833 >> CVE-2015-4800 >> CVE-2015-4791 >> CVE-2015-4766 > > They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5 > was the last version when we merged everything from MySQL. That is, > MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and > Performance Schema from 5.6.
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs. ..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it? . The Debian security tracker https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 lists two CVEs as undetermined, can you say if CVE-2015-4737 and CVE-2015-2620 affect MariaDB 10.0 or not? - Otto _______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
