mariadb101-server vulnerability?
Bernard Spil
brnrd at FreeBSD.org
Mon Aug 8 10:07:41 UTC 2016
On 2016-08-06 23:17, Mark Felder wrote:
> On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:
>> On 6/08/2016 7:23 AM, Michael Grimm wrote:
>> > Hi —
>> >
>> > Kubilay Kocak <koobs at FreeBSD.org> wrote:
>> >
>> >> Unfortunately you are yet one more example of a user that's been left in
>> >> the lurch without information or recourse wondering (rightfully) how
>> >> they can resolve or mitigate this vulnerability. Our apologies.
>> >
>> > While we are that topic, I am wondering about that 14 days old warning, as well:
>> >
>> > mariadb101-server-10.1.16 is vulnerable:
>> > MySQL -- Multiple vulnerabilities
>> > CVE: CVE-2016-3452
>> > [long list of CVEs snipped]
>> > CVE: CVE-2016-3477
>> > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
>> >
>> > I really do not know how serious this report is. Every feedback is highly appreciated.
>>
>> Hi Michael:
>>
>> Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274
>>
>> Your comment on that issue would be appreciated.
>>
>> The parent issue (assigned to ports-secteam (cc'd)) for coordinating
>> the
>> multiple vulnerable ports is:
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248
>>
>>
>
> From what I can see MariaDB hasn't released an update to address these
> issues yet. I believe Oracles does not coordinate release of security
> issues with third parties / forks. This has probably caught MariaDB off
> guard and they're likely waiting for access to the relevant commits to
> import the fixes.
Hi Mark,
The CVE's mention MariaDB where applicable.
Added versions where these vulns were fixed for MariaDB. PerconaDB
follows the MySQL release numbering and has also received updates so I
added version checks there as well.
See https://svnweb.freebsd.org/ports?view=revision&revision=419813
Cheers,
Bernard.
More information about the freebsd-ports
mailing list