Hi, Otto! On Oct 25, Otto Kekäläinen wrote: > > It would be nice if the page > https://mariadb.com/kb/en/mariadb/security/ also had a section that > was explicit about that Oracle CVEs do _not_ affect MariaDB, because I > am sure many people wonder on how what the status might be for > non-listed CVEs.
It doesn't make sense to list *all* CVEs that don't apply to MariaDB. Taking this to extremes - Apache CVEs and X.org CVEs don't apply to MariaDB either, shall we list them too? :) > ..wait, it does indeed have the section "CVE's affecting Oracle MySQL" > at the very end. Can you please update it? What about "All other CVE's from Oracle CPU <link> and earlier CPUs do not affect MariaDB". > The Debian security tracker > https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 > lists two CVEs as undetermined, can you say if CVE-2015-4737 and > CVE-2015-2620 affect MariaDB 10.0 or not? I can only guess. CVE-2015-4737 seems to be Oracle Bug#20181776. If it is, then yes, all versions of MariaDB and MySQL (!) are affected. See MDEV-8269. CVE-2015-2620 seems to be Oracle Bug#20754369 (Bug#20007583). It was fixed in MariaDB 5.5.44 and MariaDB 10.0.20. I've updated the security page, thanks! Regards, Sergei _______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
