GNU bug report logs -
#47257
mariadb is vulnerable to CVE-2021-27928 (RCE)
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Fri, 19 Mar 2021 10:26:02 UTC
Severity: normal
Tags: security
Done: Léo Le Bouter <lle-bout <at> zaclys.net>
Bug is archived. No further changes may be made.
Full log
Message #63 received at 47257 <at> debbugs.gnu.org (full text, mbox):
Hi Léo,
On Tue, 30 Mar 2021 at 02:26, Léo Le Bouter <lle-bout <at> zaclys.net> wrote:
> I pushed 00c67375b17f4a4cfad53399d1918f2e7eba2c7d to core-updates. Your
> patch. Thank you for it. Let's watch for upstream zstd fix also.
Thanks. It mitigates zstd, even if it does not solve MariaDB. One
foot, then another. :-)
> I pushed 9feef62b73e284e106717a386624d6da90750a3d to master.
Cool! LTGM.
> Ubuntu released a patch in the mean time, so while we couldnt make such
> patch in a timely manner because the backport was non-trivial and
> security-sensitive also didnt want to risk failing to fix the flaw
> because I don't have much expertise on it, Ubuntu now has done that
> work and we can just use it.
Thanks for taking care. And do not consider my concerns as a slowdown
but instead as a way to reach something better. For instance
9feef62b73 seems The Right Thing (AFAIU), whereas 6f873731a0 and
2bcfb944bd are not (AFAIK). On one hand, I agree that ~3 weeks
appears long through the lens of security vulnerabilities. On the
other hand, it is usually worth to take the time; as here. :-)
Examine the various options and so the best move always takes time.
Well, thanks for pushing forward with security.
All the best,
simon
This bug report was last modified 4 years and 49 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.