When running glsa-check, I receive the following output: tech8 ~ # glsa-check -v -n -t affected This system is affected by the following GLSAs: [A] means this GLSA was marked as applied (injected), [U] means the system is not affected and [N] indicates that the system might be affected. ...<snip>... 201504-05 [N] [remote ] MySQL and MariaDB: Multiple vulnerabilities ( dev-db/mysql dev-db/mariadb-5.5.48 ) ...<snip>... Reproducible: Always Steps to Reproduce: 1. Install dev-db/mariadb-5.5.48 and app-portage/gentoolkit-0.3.0.9-r2 2. Run "glsa-check -v -n -t affected" 3. Check the output. Actual Results: glsa-check reports installed version of MariaDB-5.5.48 as being vulnerable. Expected Results: glsa-check shouldn't have brought MariaDB into the list at this time. I have looked through all the posted CVEs for this GLSA (201504-05). CVE-2014-6568: MariaDB not directly listed as affected. CVE-2015-0374: MariaDB not directly listed as affected. CVE-2015-0381: MariaDB not directly listed as affected. CVE-2015-0382: MariaDB not directly listed as affected. CVE-2015-0385: MariaDB not directly listed as affected. CVE-2015-0391: MariaDB not directly listed as affected. CVE-2015-0409: MariaDB not directly listed as affected. CVE-2015-0411: MariaDB not directly listed as affected. CVE-2015-0432: MariaDB not directly listed as affected. Now, while I know that MySQL and MariaDB share major sections of the codebase, part of the reason for the fork was to get things improved and squared away faster than Oracle was willing to fix and improve their product. Furthermore, to make sure I did my due diligence, I went to https://mariadb.com/kb/en/mariadb/security/ and confirmed that all reported CVEs that really affect both MySQL and MariaDB have been addressed in current versions of MariaDB 5.5 series: ---------------------------------------------------------------- Full List of CVEs fixed in MariaDB (snipped to CVEs in question) ...<snip>... CVE-2015-0432: MariaDB 5.5.41, MariaDB 10.0.16 CVE-2015-0411: MariaDB 5.5.41, MariaDB 10.0.16 CVE-2015-0391: MariaDB 5.5.39, MariaDB 10.0.13 CVE-2015-0382: MariaDB 5.5.41, MariaDB 10.0.16 CVE-2015-0381: MariaDB 5.5.41, MariaDB 10.0.16 CVE-2015-0374: MariaDB 5.5.41, MariaDB 10.0.16 ...<snip>... CVE-2014-6568: MariaDB 5.5.41, MariaDB 10.0.16 Keep in mind that MariaDB 5.5 is the last version that acts as a full "drop-in replacement" for MySQL(5.5), which eases transition from one to the other. At MariaDB 10, some additional conversions and/or configurations may need to be done for proper functioning. Hope that helps. Thanks for all your hard work.
The GLSA for Mariadb in currently in draft stages. Once it is written and checked in this will be addressed.
dev-db/mariadb-5.x is currently unstable, which means it is not supported by Gentoo security. However, considering the patch is backported to >=5.5.41 we can add it to the rge so the false positive goes away. Please let us know if you continue to have false positives or other issues.