From owner-freebsd-ports@freebsd.org Mon Jan 22 23:12:35 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF9A5EB63F2 for ; Mon, 22 Jan 2018 23:12:35 +0000 (UTC) (envelope-from adamw@adamw.org) Received: from apnoea.adamw.org (apnoea.adamw.org [104.225.5.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "apnoea.adamw.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CB00E73EAF for ; Mon, 22 Jan 2018 23:12:33 +0000 (UTC) (envelope-from adamw@adamw.org) Received: by apnoea.adamw.org (OpenSMTPD) with ESMTPSA id eef34139 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; Mon, 22 Jan 2018 16:12:24 -0700 (MST) Content-Type: text/plain; charset=utf-8; delsp=yes; format=flowed Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: MariaDB 10.0 is vulnerable From: Adam Weinberger In-Reply-To: <3F28783C-B8A6-42D4-9BB0-1FA089E40567@kreme.com> Date: Mon, 22 Jan 2018 16:12:23 -0700 Cc: freebsd ports Content-Transfer-Encoding: 8bit Message-Id: <38290E32-C6DC-4C1A-8495-150E78B74E9C@adamw.org> References: <3F28783C-B8A6-42D4-9BB0-1FA089E40567@kreme.com> To: "@lbutlr" X-Mailer: Apple Mail (2.3445.5.20) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2018 23:12:36 -0000 > On 22 Jan, 2018, at 15:50, @lbutlr wrote: > > I have a new server I am setting up and I am trying to make it identical > to the server I am retiring. Both are running FreeBSD 11.1 > > Today I updated mariadb100-server to 10.0.33_1 on the original server, > but when I try to do that on the new server I get: > > ===> Cleaning for mariadb100-server-10.0.33_1 > ===> mariadb100-server-10.0.33_1 has known vulnerabilities: > mariadb100-server-10.0.33_1 is vulnerable: > MySQL -- multiple vulnerabilities > CVE: CVE-2018-2703 > CVE: CVE-2018-2696 > CVE: CVE-2018-2668 > CVE: CVE-2018-2667 > CVE: CVE-2018-2665 > CVE: CVE-2018-2647 > CVE: CVE-2018-2646 > CVE: CVE-2018-2645 > CVE: CVE-2018-2640 > CVE: CVE-2018-2622 > CVE: CVE-2018-2612 > CVE: CVE-2018-2600 > CVE: CVE-2018-2591 > CVE: CVE-2018-2590 > CVE: CVE-2018-2586 > CVE: CVE-2018-2583 > CVE: CVE-2018-2576 > CVE: CVE-2018-2573 > CVE: CVE-2018-2565 > CVE: CVE-2018-2562 > WWW: > https://vuxml.FreeBSD.org/freebsd/e3445736-fd01-11e7-ac58-b499baebfeaf.html > > 1 problem(s) in the installed packages found. > => Please update your ports tree and try again. > => Note: Vulnerable ports are marked as such even if there is no update > available. > => If you wish to ignore this vulnerability rebuild with 'make > DISABLE_VULNERABILITIES=yes’ What happened here is that there are multiple known vulnerabilities in MariaDB 10.0. Ports with known vulnerabilities are marked as vulnerable, even if there's no update available. You can ignore the vulnerability by rebuilding with 'make DISABLE_VULNERABILITIES=yes". # Adam -- Adam Weinberger adamw@adamw.org http://www.adamw.org