Hi, Reindl! On May 07, Reindl Harald wrote: > > > No, it affects the server, not mysql_upgrade. But it's a new > > statement, that mysql_upgrade is using, no existing query can > > possibly trigger that bug > > well, in other words anybody could crash the server by write a > specific query and so i am not sure what is worser: the security bugs > in 10.0.17 or that bug in 10.0.18
Right. We'll release 10.0.19 to fix that. > doesn't upstream run "mysql_upgrade" mandatory independent of changes? No. Depends on what "upstream" is. Debian/Ubuntu do that, as far as I remember. RedHat/Fedora/CentoS - don't (again, as far as I remember). > OpenVAS against 10.0.17 reports CVE-2013-1861 and CVE-2012-5627 while > there still was no answer to the mail below and so the state which of > the mysql security bugs are also in mariadb is unknown I've updated MariaDB.org CVE overview page about a week ago. (note that email didn't request an answer, it requested the page to be updated) Regards, Sergei > -------- Weitergeleitete Nachricht -------- > Betreff: [Maria-developers] Oracle April security notices and MariaDB > Datum: Sun, 19 Apr 2015 21:55:19 +0300 > Von: Otto Kekäläinen <[email protected]> > An: [email protected] > <[email protected]> > > Hello! > > Debian security team is pressing me on the information about which > recent Oracle CVEs affect MariaDB and which not. They default to > assuming all affect so we need to prove otherwise. > > The Debian CVE tracker: > https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 > > None of these recent CVEs are listed at the MariaDB.org tracker: > https://mariadb.com/kb/en/mariadb/security/ > > Could somebody please update the MariaDB.org CVE overview page? _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
