Date: Mon, 8 Aug 2016 06:53:14 -0500 From: Mark Felder <feld@feld.me> To: Bernard Spil <brnrd@FreeBSD.org> Cc: Kubilay Kocak <koobs@freebsd.org>, Michael Grimm <trashcan@ellael.org>, freebsd-ports@freebsd.org, FreeBSD Ports Security Team <ports-secteam@freebsd.org> Subject: Re: mariadb101-server vulnerability? Message-ID: <9B00CFF4-C994-4B4F-8449-9D191A8FE78E@feld.me> In-Reply-To: <aba0b1871d51d7891eca9b5905c69c19@imap.brnrd.eu> References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org> <F7C5E254-6801-4274-A973-9ECBAB3EA20F@ellael.org> <0ff02264-b10d-c0a6-f82b-38d178f26aac@FreeBSD.org> <1470518263.1795353.687963209.59065A27@webmail.messagingengine.com> <aba0b1871d51d7891eca9b5905c69c19@imap.brnrd.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Aug 8, 2016, at 05:02, Bernard Spil <brnrd@FreeBSD.org> wrote: >=20 >> On 2016-08-06 23:17, Mark Felder wrote: >>> On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote: >>> On 6/08/2016 7:23 AM, Michael Grimm wrote: >>> > Hi =E2=80=94 >>> > >>> > Kubilay Kocak <koobs@FreeBSD.org> wrote: >>> > >>> >> Unfortunately you are yet one more example of a user that's been left= in >>> >> the lurch without information or recourse wondering (rightfully) how >>> >> they can resolve or mitigate this vulnerability. Our apologies. >>> > >>> > While we are that topic, I am wondering about that 14 days old warning= , as well: >>> > >>> > mariadb101-server-10.1.16 is vulnerable: >>> > MySQL -- Multiple vulnerabilities >>> > CVE: CVE-2016-3452 >>> > [long list of CVEs snipped] >>> > CVE: CVE-2016-3477 >>> > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebf= eaf.html >>> > >>> > I really do not know how serious this report is. Every feedback is hig= hly appreciated. >>> Hi Michael: >>> Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211274 >>> Your comment on that issue would be appreciated. >>> The parent issue (assigned to ports-secteam (cc'd)) for coordinating the= >>> multiple vulnerable ports is: >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211248 >> =46rom what I can see MariaDB hasn't released an update to address these >> issues yet. I believe Oracles does not coordinate release of security >> issues with third parties / forks. This has probably caught MariaDB off >> guard and they're likely waiting for access to the relevant commits to >> import the fixes. >=20 > Hi Mark, >=20 > The CVE's mention MariaDB where applicable. >=20 > Added versions where these vulns were fixed for MariaDB. PerconaDB follows= the MySQL release numbering and has also received updates so I added versio= n checks there as well. >=20 > See https://svnweb.freebsd.org/ports?view=3Drevision&revision=3D419813 >=20 Thanks for keeping an eye on this!=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9B00CFF4-C994-4B4F-8449-9D191A8FE78E>