From owner-freebsd-ports@freebsd.org  Mon Aug  8 11:53:17 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0BBB5BB21EB;
 Mon,  8 Aug 2016 11:53:17 +0000 (UTC) (envelope-from feld@feld.me)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
 [66.111.4.26])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D0D1C14AA;
 Mon,  8 Aug 2016 11:53:16 +0000 (UTC) (envelope-from feld@feld.me)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 205CC201FF;
 Mon,  8 Aug 2016 07:53:15 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute7.internal (MEProxy); Mon, 08 Aug 2016 07:53:15 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc
 :content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=mxCl2OsPu8ATjl8948aay5pYGf4=; b=FxY1Lx
 nntwzzJe1OwXRdjCVVDURwKJjshF3WEzNLP15Cf87b/BLMQlClhk8qOB94gKGRxM
 hT1RKqsAONUZ8ledBbY0STv0llzX86dydo6+MO8y1L2/DbnBXyzyuRw/UJKfT526
 nnAAHF/hUNSce2O1etDDHkQXDp63oeVHt2Ucs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=mxCl2OsPu8ATjl8
 948aay5pYGf4=; b=WkGfwDekPty+7L4DHSuYAtJit+0SpCZ8sKwIz+Yoj9D0NZM
 x6UGM3bzIargtFK/t8AWg7RP69+q0s5nPLRnmno7Z3brqkXf7bCx0BK2hnyweiHh
 BXJNqRTZNP2OrFOdOEomn6xY8OroysYcDhZqFHLCyaHlpGVFL4ZllClu2lZI=
X-Sasl-enc: 2aW20f7brVMRHAqZBp2LyQ0RUPz27ZsjcszkZQRhTVqa 1470657194
Received: from [172.16.1.172] (68-117-126-78.static.mdsn.wi.charter.com
 [68.117.126.78])
 by mail.messagingengine.com (Postfix) with ESMTPA id ADB9ACCDCF;
 Mon,  8 Aug 2016 07:53:14 -0400 (EDT)
Mime-Version: 1.0 (1.0)
Subject: Re: mariadb101-server vulnerability?
From: Mark Felder <feld@feld.me>
X-Mailer: iPhone Mail (14A5322e)
In-Reply-To: <aba0b1871d51d7891eca9b5905c69c19@imap.brnrd.eu>
Date: Mon, 8 Aug 2016 06:53:14 -0500
Cc: Kubilay Kocak <koobs@freebsd.org>, Michael Grimm <trashcan@ellael.org>,
 freebsd-ports@freebsd.org,
 FreeBSD Ports Security Team <ports-secteam@freebsd.org>
Message-Id: <9B00CFF4-C994-4B4F-8449-9D191A8FE78E@feld.me>
References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com>
 <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>
 <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org>
 <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org>
 <F7C5E254-6801-4274-A973-9ECBAB3EA20F@ellael.org>
 <0ff02264-b10d-c0a6-f82b-38d178f26aac@FreeBSD.org>
 <1470518263.1795353.687963209.59065A27@webmail.messagingengine.com>
 <aba0b1871d51d7891eca9b5905c69c19@imap.brnrd.eu>
To: Bernard Spil <brnrd@FreeBSD.org>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.22
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 11:53:17 -0000



> On Aug 8, 2016, at 05:02, Bernard Spil <brnrd@FreeBSD.org> wrote:
>=20
>> On 2016-08-06 23:17, Mark Felder wrote:
>>> On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote:
>>> On 6/08/2016 7:23 AM, Michael Grimm wrote:
>>> > Hi =E2=80=94
>>> >
>>> > Kubilay Kocak <koobs@FreeBSD.org> wrote:
>>> >
>>> >> Unfortunately you are yet one more example of a user that's been left=
 in
>>> >> the lurch without information or recourse wondering (rightfully) how
>>> >> they can resolve or mitigate this vulnerability. Our apologies.
>>> >
>>> > While we are that topic, I am wondering about that 14 days old warning=
, as well:
>>> >
>>> >    mariadb101-server-10.1.16 is vulnerable:
>>> >    MySQL -- Multiple vulnerabilities
>>> >    CVE: CVE-2016-3452
>>> > [long list of CVEs snipped]
>>> >    CVE: CVE-2016-3477
>>> >    https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebf=
eaf.html
>>> >
>>> > I really do not know how serious this report is. Every feedback is hig=
hly appreciated.
>>> Hi Michael:
>>> Bug:  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211274
>>> Your comment on that issue would be appreciated.
>>> The parent issue (assigned to ports-secteam (cc'd)) for coordinating the=

>>> multiple vulnerable ports is:
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211248
>> =46rom what I can see MariaDB hasn't released an update to address these
>> issues yet. I believe Oracles does not coordinate release of security
>> issues with third parties / forks. This has probably caught MariaDB off
>> guard and they're likely waiting for access to the relevant commits to
>> import the fixes.
>=20
> Hi Mark,
>=20
> The CVE's mention MariaDB where applicable.
>=20
> Added versions where these vulns were fixed for MariaDB. PerconaDB follows=
 the MySQL release numbering and has also received updates so I added versio=
n checks there as well.
>=20
> See https://svnweb.freebsd.org/ports?view=3Drevision&revision=3D419813
>=20

Thanks for keeping an eye on this!=