Date: Mon, 08 Aug 2016 12:02:09 +0200 From: Bernard Spil <brnrd@FreeBSD.org> To: Mark Felder <feld@feld.me> Cc: Kubilay Kocak <koobs@freebsd.org>, Michael Grimm <trashcan@ellael.org>, freebsd-ports@freebsd.org, FreeBSD Ports Security Team <ports-secteam@freebsd.org> Subject: Re: mariadb101-server vulnerability? Message-ID: <aba0b1871d51d7891eca9b5905c69c19@imap.brnrd.eu> In-Reply-To: <1470518263.1795353.687963209.59065A27@webmail.messagingengine.com> References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org> <F7C5E254-6801-4274-A973-9ECBAB3EA20F@ellael.org> <0ff02264-b10d-c0a6-f82b-38d178f26aac@FreeBSD.org> <1470518263.1795353.687963209.59065A27@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-08-06 23:17, Mark Felder wrote: > On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote: >> On 6/08/2016 7:23 AM, Michael Grimm wrote: >> > Hi — >> > >> > Kubilay Kocak <koobs@FreeBSD.org> wrote: >> > >> >> Unfortunately you are yet one more example of a user that's been left in >> >> the lurch without information or recourse wondering (rightfully) how >> >> they can resolve or mitigate this vulnerability. Our apologies. >> > >> > While we are that topic, I am wondering about that 14 days old warning, as well: >> > >> > mariadb101-server-10.1.16 is vulnerable: >> > MySQL -- Multiple vulnerabilities >> > CVE: CVE-2016-3452 >> > [long list of CVEs snipped] >> > CVE: CVE-2016-3477 >> > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html >> > >> > I really do not know how serious this report is. Every feedback is highly appreciated. >> >> Hi Michael: >> >> Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274 >> >> Your comment on that issue would be appreciated. >> >> The parent issue (assigned to ports-secteam (cc'd)) for coordinating >> the >> multiple vulnerable ports is: >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248 >> >> > > From what I can see MariaDB hasn't released an update to address these > issues yet. I believe Oracles does not coordinate release of security > issues with third parties / forks. This has probably caught MariaDB off > guard and they're likely waiting for access to the relevant commits to > import the fixes. Hi Mark, The CVE's mention MariaDB where applicable. Added versions where these vulns were fixed for MariaDB. PerconaDB follows the MySQL release numbering and has also received updates so I added version checks there as well. See https://svnweb.freebsd.org/ports?view=revision&revision=419813 Cheers, Bernard.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aba0b1871d51d7891eca9b5905c69c19>