From owner-freebsd-ports@freebsd.org  Mon Aug  8 10:07:41 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52557BB2888;
 Mon,  8 Aug 2016 10:07:41 +0000 (UTC)
 (envelope-from brnrd@FreeBSD.org)
Received: from smtp01.qsp.nl (smtp01.qsp.nl [193.254.214.162])
 by mx1.freebsd.org (Postfix) with ESMTP id C77EB1892;
 Mon,  8 Aug 2016 10:07:40 +0000 (UTC)
 (envelope-from brnrd@FreeBSD.org)
Received: from smtp01.qsp.nl (localhost [127.0.0.1])
 by smtp01.qsp.nl (Postfix) with ESMTP id DAEA72A0D0E;
 Mon,  8 Aug 2016 12:02:09 +0200 (CEST)
Received: from mail.brnrd.eu (unknown [193.164.217.85])
 by smtp01.qsp.nl (Postfix) with ESMTP;
 Mon,  8 Aug 2016 12:02:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=brnrd.eu;
 h=date:from:to:subject:message-id; s=default;
 bh=USVcbaPiJGFx/d1c5bbh2xx2yz3/LMmzTsbsCfmCd5o=;
 b=pwd5uYDt5j99Jf3sekbWlzVC1ZD0wsdnmI7pwo0MwI/27s0Qiic2K7V0KyxERa7UwSnYgjISCeNlov3107O4tEcQA+9xFn/9I4esUhjSSxzx4KcUK6NNlTvKSRdFACaDc+DtUKD+u19ohmYsr0GoXQ4r679LO20lYXQnax1qkHc9NSRtnpwNo04zl7ubKVfr5to2yE3z5EF3nUl9Fn2v1BVH52/Htp72DpmAcAVQZ8vnf24wQ3szyZsAWFYDmoVD0j+kaYNKy9NGVH9HC4IVO2CESrtsj2fnib/DZoMkFxWZE4x2XFGPgAIlXmZwH0Q6tR6RN6QnSvjpqlV44w3R4g==
Received: by bachfreund.nl (OpenSMTPD) with ESMTPSA id 7efa896b
 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO;
 Mon, 8 Aug 2016 12:02:09 +0200 (CEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
Date: Mon, 08 Aug 2016 12:02:09 +0200
From: Bernard Spil <brnrd@FreeBSD.org>
To: Mark Felder <feld@feld.me>
Cc: Kubilay Kocak <koobs@freebsd.org>, Michael Grimm <trashcan@ellael.org>,
 freebsd-ports@freebsd.org, FreeBSD Ports Security Team
 <ports-secteam@freebsd.org>
Subject: Re: mariadb101-server vulnerability?
In-Reply-To: <1470518263.1795353.687963209.59065A27@webmail.messagingengine.com>
References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com>
 <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>
 <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org>
 <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org>
 <F7C5E254-6801-4274-A973-9ECBAB3EA20F@ellael.org>
 <0ff02264-b10d-c0a6-f82b-38d178f26aac@FreeBSD.org>
 <1470518263.1795353.687963209.59065A27@webmail.messagingengine.com>
Message-ID: <aba0b1871d51d7891eca9b5905c69c19@imap.brnrd.eu>
X-Sender: brnrd@FreeBSD.org
User-Agent: Roundcube Webmail/1.2.0
X-SMTP-Virus-Scanned: clamav at smtp01
X-Spam-Status: No, score=1.6 required=5.0 tests=HK_RANDOM_ENVFROM,
 HK_RANDOM_FROM,UNPARSEABLE_RELAY autolearn=disabled version=3.4.1
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on svfilter02.qsp.nl
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 10:07:41 -0000

On 2016-08-06 23:17, Mark Felder wrote:
> On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:
>> On 6/08/2016 7:23 AM, Michael Grimm wrote:
>> > Hi —
>> >
>> > Kubilay Kocak <koobs@FreeBSD.org> wrote:
>> >
>> >> Unfortunately you are yet one more example of a user that's been left in
>> >> the lurch without information or recourse wondering (rightfully) how
>> >> they can resolve or mitigate this vulnerability. Our apologies.
>> >
>> > While we are that topic, I am wondering about that 14 days old warning, as well:
>> >
>> > 	mariadb101-server-10.1.16 is vulnerable:
>> > 	MySQL -- Multiple vulnerabilities
>> > 	CVE: CVE-2016-3452
>> > [long list of CVEs snipped]
>> > 	CVE: CVE-2016-3477
>> > 	https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf.html
>> >
>> > I really do not know how serious this report is. Every feedback is highly appreciated.
>> 
>> Hi Michael:
>> 
>> Bug:  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211274
>> 
>> Your comment on that issue would be appreciated.
>> 
>> The parent issue (assigned to ports-secteam (cc'd)) for coordinating 
>> the
>> multiple vulnerable ports is:
>> 
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211248
>> 
>> 
> 
> From what I can see MariaDB hasn't released an update to address these
> issues yet. I believe Oracles does not coordinate release of security
> issues with third parties / forks. This has probably caught MariaDB off
> guard and they're likely waiting for access to the relevant commits to
> import the fixes.

Hi Mark,

The CVE's mention MariaDB where applicable.

Added versions where these vulns were fixed for MariaDB. PerconaDB 
follows the MySQL release numbering and has also received updates so I 
added version checks there as well.

See https://svnweb.freebsd.org/ports?view=revision&revision=419813

Cheers,

Bernard.