In this commit: https://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=523111&r2=523158&pathrev=523158
All current versions of MariaDB were added along with mysql. There is no evidence that this is correct and may be FUD from Oracle to suggest that all forked database servers are equally vulnerable.
From MariaDB: https://mariadb.com/kb/en/security-vulnerabilities-in-oracle-mysql-that-did-not-exist-in-mariadb/
(In reply to ari from comment #0)
We will only know if MariaDB was not affected after MariaDB releases the next patch-versions. Only then will fixed vulnerabilities be listed in the release notes and on the list you have linked.
As you may have noticed, both the vuxml entry is committed by me and I maintain all the MariaDB ports. History tells me that usually the first MariaDB patch-releases after Oracle quarterly vuln disclosure also addresses some of the Oracle vulnerabilities. The portion of shared code-base between the products is simply too large for me to assume that MySQL vulns automatically won't apply to MariaDB.
The number of vulnerabilities fixed in MariaDB tends to be lower than the number fixed in MySQL. Nonetheless MariaDB proves to be vulnerable to some of these issues as well. Creating separate vuxml entries is simply overkill as vuxml does not have a notion of severity or scoring.
If you find that after the patch-release there are inconsistencies in the vuxml entry, please let me know. The patch-releases are late (again), check https://jira.mariadb.org/secure/Dashboard.jspa for the schedule.
Just in... From MariaDB packager mailinglist:
Prep work for the MariaDB 10.4.12, 10.3.22, 10.2.31, 10.1.44, and 5.5.67
releases has begun. Expected release date is Tue, 28 Jan 2020.
Draft release notes and changelogs:
As usual, the release notes and changelog are still in draft form at
this time and will be updated prior to release.
Daniel Bartholomew, MariaDB Release Manager
MariaDB | https://mariadb.com
packagers mailing list
In this case mariaDB have explicitly said they are not vulnerable to any of these issues other than CVE-2020-2574 which is just not mentioned.
> Fixes for the following security vulnerabilities:
> * CVE-2020-7221
Yes, that's a new CVE not already in your vuxml entry. We don't know what that one is yet since it hasn't been announced.
I think that's nothing to do with this bug report.
The problem here (for me) is that I had all sorts of notifications for vulnerabilities that aren't in mariadb and that I cannot fix, so I need to write up documentation for how we aren't really breaching our PCI DSS even though our monitoring systems are throwing up alerts.
I guess the question is "for most FreeBSD admins, what is the purpose of vuxml in situations where there is no newer port?". For me, it is "do we need to implement some workaround". In the case where MariaDB have explicitly released docs to say almost all those CVEs don't apply, that's just extra work.
On the other hand, I appreciate all the work you do maintaining this ports and ensuring people are notified of potential issues.
A commit references this bug:
Date: Sun Feb 2 20:14:41 UTC 2020
New revision: 525001
security/vuxml: Properly document MariaDB vuln
Reported by: <ari ish com au>
Looking at what was ultimately released, I do need to change the vuxml entries.
Of all those reported, only a difficult to exploit one (in -client) was present in MariaDB.
More worryingly, CVE-2020-7221 is gone from the release-notes.
Thanks for reporting!