Date: Thu, 08 Nov 2018 09:59:18 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 233068] databases/mariadb*-server: many bogus CVEs listed, others missing Message-ID: <bug-233068-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233068 Bug ID: 233068 Summary: databases/mariadb*-server: many bogus CVEs listed, others missing Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jdc@koitsu.org Requesting ports-secteam@ be added to this, in addition to the port maintai= ner. The database/mariadb*-server ports contain quite a list of CVEs in vuxml, m= any of which are bogus, and others which are missing. I believe the former is caused by an assumption being made by someone (not necessarily the port maintainer!) that (Oracle) MySQL vulnerabilities affect MariaDB. That isn't the case; each CVE must be reviewed on a case-by-case basis. To help with that, I'll provide this: The MariaDB folks maintain two web pages, and have for a while, that docume= nt CVEs MariaDB is affected by: https://mariadb.com/kb/en/library/security/ ...and Oracle MysQL CVEs that *do not* apply to MariaDB: https://mariadb.com/kb/en/library/security-vulnerabilities-in-oracle-mysql-= that-did-not-exist-in-mariadb/ Let's review what vuxml says for determine which of them in the list are le= git vs. bogus based on those pages. Per pkg audit as of 2018/11/08 @ 01:20 PST/UTC-0800 with investigative results inline, done per port/pkg: $ pkg audit mariadb102-server-10.2.18 mariadb102-server-10.2.18 is vulnerable: MySQL -- multiple vulnerabilities CVE: CVE-2018-3286 -- bogus CVE: CVE-2018-3283 -- bogus CVE: CVE-2018-3284 -- legitimate CVE: CVE-2018-3282 -- legitimate CVE: CVE-2018-3279 -- bogus CVE: CVE-2018-3278 -- bogus CVE: CVE-2018-3161 -- bogus CVE: CVE-2018-3186 -- bogus CVE: CVE-2018-3280 -- bogus CVE: CVE-2018-3212 -- bogus CVE: CVE-2018-3170 -- bogus CVE: CVE-2018-3200 -- legitimate CVE: CVE-2018-3173 -- legitimate CVE: CVE-2018-3162 -- legitimate CVE: CVE-2018-3277 -- legitimate CVE: CVE-2018-3171 -- bogus CVE: CVE-2018-3174 -- legitimate CVE: CVE-2018-3187 -- bogus CVE: CVE-2018-3247 -- bogus CVE: CVE-2018-3195 -- bogus CVE: CVE-2018-3185 -- legitimate CVE: CVE-2018-3144 -- bogus CVE: CVE-2018-3145 -- bogus CVE: CVE-2018-3133 -- incorrect; fixed as of 10.2.13 CVE: CVE-2018-3203 -- bogus CVE: CVE-2018-3137 -- bogus CVE: CVE-2018-3182 -- bogus CVE: CVE-2018-3251 -- legitimate CVE: CVE-2018-3156 -- legitimate CVE: CVE-2018-3143 -- legitimate CVE: CVE-2018-3155 -- bogus CVE: CVE-2016-9843 -- legitimate Summary: - 19 of 32 are bogus / do not apply to MariaDB - 1 of 32 is outdated (was fixed as of 10.2.13) - 12 of 32 are confirmed (and fixed in the newer 10.2.19) $ pkg audit mariadb102-server-10.3.10 0 problem(s) in the installed packages found. This is inaccurate. There are several CVEs which exist in 10.3.10 (fixed in 10.3.11) that should be showing up here, such as CVE-2018-3143, CVE-2018-31= 56, etc.. What's strange: those CVEs show up for mariadb102-server but not mariadb1013-server. $ pkg audit mariadb102-server-10.1.37 {snip} The situation here is dire: results are split across 6 completely separate vuxml sections, for a total of 151 CVEs. However, at least one (CVE-2016-9= 843) is bogus for that release of MariaDB, which makes me think there are probab= ly others. Can these situations be rectified to reflect reality? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233068-7788>