mariadb101-server vulnerability?
Mark Felder
feld at feld.me
Sat Aug 6 21:17:45 UTC 2016
On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:
> On 6/08/2016 7:23 AM, Michael Grimm wrote:
> > Hi —
> >
> > Kubilay Kocak <koobs at FreeBSD.org> wrote:
> >
> >> Unfortunately you are yet one more example of a user that's been left in
> >> the lurch without information or recourse wondering (rightfully) how
> >> they can resolve or mitigate this vulnerability. Our apologies.
> >
> > While we are that topic, I am wondering about that 14 days old warning, as well:
> >
> > mariadb101-server-10.1.16 is vulnerable:
> > MySQL -- Multiple vulnerabilities
> > CVE: CVE-2016-3452
> > [long list of CVEs snipped]
> > CVE: CVE-2016-3477
> > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
> >
> > I really do not know how serious this report is. Every feedback is highly appreciated.
>
> Hi Michael:
>
> Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274
>
> Your comment on that issue would be appreciated.
>
> The parent issue (assigned to ports-secteam (cc'd)) for coordinating the
> multiple vulnerable ports is:
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248
>
>
>From what I can see MariaDB hasn't released an update to address these
issues yet. I believe Oracles does not coordinate release of security
issues with third parties / forks. This has probably caught MariaDB off
guard and they're likely waiting for access to the relevant commits to
import the fixes.
--
Mark Felder
feld at feld.me
More information about the freebsd-ports
mailing list