Summary: | databases/mariadb*-server: many bogus CVEs listed, others missing | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Jeremy Chadwick <jdc> |
Component: | Individual Port(s) | Assignee: | Ports Security Team <ports-secteam> |
Status: | Closed Feedback Timeout | ||
Severity: | Affects Many People | CC: | brnrd, joneum, ports-secteam |
Priority: | --- | Flags: | brnrd:
maintainer-feedback-
|
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
Jeremy Chadwick
2018-11-08 09:59:18 UTC
(In reply to Jeremy Chadwick from comment #0) Hi Jeremy, Thanks for the feedback. You'll find that it is usually me who commits these vuxml entries. I commit these knowing that they are inaccurate for MariaDB, but also for MySQL versions (not all vulnerabilities are found in all versions). At the time of publishing, by Oracle, of the vulnerabilities, there is no information on MariaDB. History tells me the "current" versions of MariaDB will be vulnerable too unless they were just released, these latter ones get the info added to the release notes after the vulnerabilities are published. I'm curious to learn how you've come to the conclusion about 10.3.10. I was (am) expecting that 10.3.11 contains fixes to vulnerabilities but I only find out when MariaDB releases this information in the release notes. If you have a source that provides this information earlier, I'd be happy to adapt. UPDATE: they are available today by guessing the URL but weren't earlier, the 10.3.11 release is planned for over a week. Expect an update to the vuxml entry shortly. If ports-secteam advises to use separate vuxml entries for MariaDB and MySQL, and potentially different vuxml entries for different versions, I will try to keep up for MariaDB but will stop creating entries for MySQL and Percona (too much work). Additionally this will mean that MariaDB users will be informed about vulnerabilities considerably later, when MariaDB releases the next version. Cheers, Bernard. A commit references this bug: Author: brnrd Date: Thu Nov 8 17:29:07 UTC 2018 New revision: 484465 URL: https://svnweb.freebsd.org/changeset/ports/484465 Log: security/vuxml: Mark MariaDB 10.3.10 vulnerable - From MariaDB release notes (not released yet) See: https://mariadb.com/kb/en/library/mariadb-10311-release-notes/ PR: 233068 Changes: head/security/vuxml/vuln.xml Re: 1st paragraph: no guesswork is needed: the links I gave in comment #0 clearly denote which MariaDB versions are affected (or not affected) by what CVEs, including the MariaDB version number in which the CVE was fixed. This information should help with the vuxml entries (which use version ranges, IIRC). Re: 2nd paragraph: please see https://mariadb.com/kb/en/library/security/ , section "Full List of CVEs fixed in MariaDB". The CVEs are listed, alongside the version of MariaDB in which the CVE in question was fixed. That's how I know. :-) Re: 3rd paragraph: there will always be some amount of delay or "outdatedness" due to how the CVE impact is provided by the MariaDB folks. Sadly they don't have a mailing list for security issues (their announce@ and maria-discuss@ lists don't seem to have this stuff either), thus the only way to know if a CVE is truly affects/doesn't affect MariaDB is by looking at the aforementioned pages periodically. That's just the nature of the beast, and not your fault in the least. (In reply to Jeremy Chadwick from comment #3) Until further guidance is provided by ports-secteam and more timely information is provided by MariaDB there will be no further action from me re. this PR. what is the current status? Does ports-secteam have to be active here? |