Thank you Sergei, Looks like there is a release of MariaDB Galera Cluster 10.0.16 also on the way.
https://mariadb.atlassian.net/browse/MDEV/fixforversion/18101/?selectedTab=com.atlassian.jira.jira-projects-plugin:version-summary-panel I imagine this will ship shortly after MariaDB 10.0.16? Best, Shannon Coen On Mon, Jan 26, 2015 at 8:44 AM, Sergei Golubchik <s...@mariadb.org> wrote: > Hi, Raina! > > On Jan 23, Raina Masand wrote: > > Hello, > > > > We recently were informed of some security fixes in Mysql 5.5.41: > > http://www.ubuntu.com/usn/usn-2480-1/ and are wondering whether there > are > > plans to include these in an upcoming MariaDB release. Right now, we are > > running 10.0.13, so we're trying to plan the next upgrade. We see that > > there have been similar fixes included in MariaDB 10.0.14 and 10.0.15, so > > this seems likely. > > > > Based on this https://mariadb.com/kb/en/mariadb/development/security/ > list > > of CVE's, it looks like the MariaDB 10.0.15 and MariaDB 5.5.40 include > the > > same security fixes (presumably pulled from Mysql 5.5.40). Can we expect > > that the fixes from Mysql 5.5.41 will be included in an upcoming MariaDB > > 10.0.16 release? Would appreciate any insight into the general schedule > for > > addressing these vulnerabilities. > > Yes, I have updated the Security page to include these newly announced > vulnerabilities. They are fixed in MariaDB-5.5.41 and MariaDB-10.0.16. > > Generally it works as follows: > * Oracle discovers or learns about a security vulnerability in MySQL > * Oracle doesn't tell anyone and secretly fixes it > * Oracle releases a new - fixed - MySQL version > * We (MariaDB) pull in MySQL changes and release a new MariaDB version > - this usually takes few days (up to a week) > * Oracle releases a CPU with very vague description of vulnerabilities > - > http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html > * By that time a fixed MariaDB version is already released, I only need > to add new CVE numbers to the Security page > > So, generally, when new vulnerabilities are publically announced, > the latest MariaDB release already has them fixed. Even if Security > page doesn't tell so. > > Regards, > Sergei > >
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
