Bug 243660 - security/vuxml: MariaDB incorrectly added to MySQL CVE's
Summary: security/vuxml: MariaDB incorrectly added to MySQL CVE's
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bernard Spil
URL: https://mariadb.com/kb/en/security-vu...
Keywords: needs-patch, needs-qa, security
Depends on:
Blocks:
 
Reported: 2020-01-27 23:57 UTC by ari
Modified: 2020-02-02 20:16 UTC (History)
2 users (show)

See Also:
koobs: maintainer-feedback? (brnrd)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ari 2020-01-27 23:57:50 UTC 
In this commit: https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=523111&r2=523158&pathrev=523158

All current versions of MariaDB were added along with mysql. There is no evidence that this is correct and may be FUD from Oracle to suggest that all forked database servers are equally vulnerable.

From MariaDB: https://mariadb.com/kb/en/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb/
Comment 1 Bernard Spil freebsd_committer freebsd_triage 2020-01-28 08:13:49 UTC 
(In reply to ari from comment #0)
Hi Ari,

We will only know if MariaDB was not affected after MariaDB releases the next patch-versions. Only then will fixed vulnerabilities be listed in the release notes and on the list you have linked.

As you may have noticed, both the vuxml entry is committed by me and I maintain all the MariaDB ports. History tells me that usually the first MariaDB patch-releases after Oracle quarterly vuln disclosure also addresses some of the Oracle vulnerabilities. The portion of shared code-base between the products is simply too large for me to assume that MySQL vulns automatically won't apply to MariaDB.

The number of vulnerabilities fixed in MariaDB tends to be lower than the number fixed in MySQL. Nonetheless MariaDB proves to be vulnerable to some of these issues as well. Creating separate vuxml entries is simply overkill as vuxml does not have a notion of severity or scoring.

If you find that after the patch-release there are inconsistencies in the vuxml entry, please let me know. The patch-releases are late (again), check https://jira.mariadb.org/secure/Dashboard.jspa for the schedule.
Comment 2 Bernard Spil freebsd_committer freebsd_triage 2020-01-28 08:16:47 UTC 
Just in... From MariaDB packager mailinglist:

Prep work for the MariaDB 10.4.12, 10.3.22, 10.2.31, 10.1.44, and 5.5.67
releases has begun. Expected release date is Tue, 28 Jan 2020.

Draft release notes and changelogs:

MariaDB 10.4.12
 - https://mariadb.com/kb/en/mdb-10412-rn/
 - https://mariadb.com/kb/en/mdb-10412-cl/

MariaDB 10.3.22
 - https://mariadb.com/kb/en/mdb-10322-rn/
 - https://mariadb.com/kb/en/mdb-10322-cl/

MariaDB 10.2.31
 - https://mariadb.com/kb/en/mdb-10231-rn/
 - https://mariadb.com/kb/en/mdb-10231-cl/

MariaDB 10.1.44
 - https://mariadb.com/kb/en/mdb-10144-rn/
 - https://mariadb.com/kb/en/mdb-10144-cl/

MariaDB 5.5.67
 - https://mariadb.com/kb/en/mdb-5567-rn/
 - https://mariadb.com/kb/en/mdb-5567-cl/

As usual, the release notes and changelog are still in draft form at
this time and will be updated prior to release.

Thanks.

-- 
Daniel Bartholomew, MariaDB Release Manager
MariaDB | https://mariadb.com

_______________________________________________
packagers mailing list
packagers@mariadb.org
https://lists.askmonty.org/cgi-bin/mailman/listinfo/packagers
Comment 3 ari 2020-01-28 08:25:13 UTC 
In this case mariaDB have explicitly said they are not vulnerable to any of these issues other than CVE-2020-2574 which is just not mentioned.
Comment 4 Bernard Spil freebsd_committer freebsd_triage 2020-01-28 10:22:13 UTC 
https://mariadb.com/kb/en/mariadb-10412-release-notes/

Still vulnerable

> Fixes for the following security vulnerabilities:
>    * CVE-2020-7221
Comment 5 ari 2020-01-28 10:51:31 UTC 
Yes, that's a new CVE not already in your vuxml entry. We don't know what that one is yet since it hasn't been announced.

I think that's nothing to do with this bug report.

The problem here (for me) is that I had all sorts of notifications for vulnerabilities that aren't in mariadb and that I cannot fix, so I need to write up documentation for how we aren't really breaching our PCI DSS even though our monitoring systems are throwing up alerts.

I guess the question is "for most FreeBSD admins, what is the purpose of vuxml in situations where there is no newer port?". For me, it is "do we need to implement some workaround". In the case where MariaDB have explicitly released docs to say almost all those CVEs don't apply, that's just extra work.

On the other hand, I appreciate all the work you do maintaining this ports and ensuring people are notified of potential issues.
Comment 6 commit-hook freebsd_committer freebsd_triage 2020-02-02 20:14:54 UTC 
A commit references this bug:

Author: brnrd
Date: Sun Feb  2 20:14:41 UTC 2020
New revision: 525001
URL: https://svnweb.freebsd.org/changeset/ports/525001

Log:
  security/vuxml: Properly document MariaDB vuln

  PR:		243660
  Reported by:	<ari ish com au>

Changes:
  head/security/vuxml/vuln.xml
Comment 7 Bernard Spil freebsd_committer freebsd_triage 2020-02-02 20:16:47 UTC 
Looking at what was ultimately released, I do need to change the vuxml entries.
Of all those reported, only a difficult to exploit one (in -client) was present in MariaDB.

More worryingly, CVE-2020-7221 is gone from the release-notes.

Thanks for reporting!