Date: Sat, 06 Aug 2016 16:17:43 -0500 From: Mark Felder <feld@feld.me> To: Kubilay Kocak <koobs@FreeBSD.org>, Michael Grimm <trashcan@ellael.org>, freebsd-ports@FreeBSD.org Cc: Bernard Spil <brnrd@FreeBSD.org>, FreeBSD Ports Security Team <ports-secteam@freebsd.org> Subject: Re: mariadb101-server vulnerability? Message-ID: <1470518263.1795353.687963209.59065A27@webmail.messagingengine.com> In-Reply-To: <0ff02264-b10d-c0a6-f82b-38d178f26aac@FreeBSD.org> References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org> <F7C5E254-6801-4274-A973-9ECBAB3EA20F@ellael.org> <0ff02264-b10d-c0a6-f82b-38d178f26aac@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 6, 2016, at 07:34, Kubilay Kocak wrote: > On 6/08/2016 7:23 AM, Michael Grimm wrote: > > Hi =E2=80=94 > >=20 > > Kubilay Kocak <koobs@FreeBSD.org> wrote: > >=20 > >> Unfortunately you are yet one more example of a user that's been left = in > >> the lurch without information or recourse wondering (rightfully) how > >> they can resolve or mitigate this vulnerability. Our apologies. > >=20 > > While we are that topic, I am wondering about that 14 days old warning,= as well: > >=20 > > mariadb101-server-10.1.16 is vulnerable: > > MySQL -- Multiple vulnerabilities > > CVE: CVE-2016-3452 > > [long list of CVEs snipped] > > CVE: CVE-2016-3477 > > https://vuxml.FreeBSD.org/freebsd/ca5cb202-4f51-11e6-b2ec-b499baebfeaf= .html > >=20 > > I really do not know how serious this report is. Every feedback is high= ly appreciated. >=20 > Hi Michael: >=20 > Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211274 >=20 > Your comment on that issue would be appreciated. >=20 > The parent issue (assigned to ports-secteam (cc'd)) for coordinating the > multiple vulnerable ports is: >=20 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211248 >=20 >=20 >From what I can see MariaDB hasn't released an update to address these issues yet. I believe Oracles does not coordinate release of security issues with third parties / forks. This has probably caught MariaDB off guard and they're likely waiting for access to the relevant commits to import the fixes. --=20 Mark Felder feld@feld.me
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1470518263.1795353.687963209.59065A27>