mariadb101-server vulnerability?

Mon Aug 8 11:53:17 UTC 2016

> On Aug 8, 2016, at 05:02, Bernard Spil <brnrd at FreeBSD.org> wrote:
> 
>> On 2016-08-06 23:17, Mark Felder wrote:
>>> On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:
>>> On 6/08/2016 7:23 AM, Michael Grimm wrote:
>>> > Hi —
>>> >
>>> > Kubilay Kocak <koobs at FreeBSD.org> wrote:
>>> >
>>> >> Unfortunately you are yet one more example of a user that's been left in
>>> >> the lurch without information or recourse wondering (rightfully) how
>>> >> they can resolve or mitigate this vulnerability. Our apologies.
>>> >
>>> > While we are that topic, I am wondering about that 14 days old warning, as well:
>>> >
>>> >    mariadb101-server-10.1.16 is vulnerable:
>>> >    MySQL -- Multiple vulnerabilities
>>> >    CVE: CVE-2016-3452
>>> > [long list of CVEs snipped]
>>> >    CVE: CVE-2016-3477
>>> >    https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
>>> >
>>> > I really do not know how serious this report is. Every feedback is highly appreciated.
>>> Hi Michael:
>>> Bug:  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274
>>> Your comment on that issue would be appreciated.
>>> The parent issue (assigned to ports-secteam (cc'd)) for coordinating the
>>> multiple vulnerable ports is:
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248
>> From what I can see MariaDB hasn't released an update to address these
>> issues yet. I believe Oracles does not coordinate release of security
>> issues with third parties / forks. This has probably caught MariaDB off
>> guard and they're likely waiting for access to the relevant commits to
>> import the fixes.
> 
> Hi Mark,
> 
> The CVE's mention MariaDB where applicable.
> 
> Added versions where these vulns were fixed for MariaDB. PerconaDB follows the MySQL release numbering and has also received updates so I added version checks there as well.
> 
> See https://svnweb.freebsd.org/ports?view=revision&revision=419813
> 

Thanks for keeping an eye on this!