Issues Corresponding to MySQL Versions in TiDB

Translated
1

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: TiDB对应MySQL版本问题

| username: Alan

I would like to ask everyone, using TiDB has been found to have CVE-2019-2632 and CVE-2021-2144 vulnerabilities. After checking, I found that the MySQL version corresponding to TiDB 6.1.0 is 5.7.25, and to fix the vulnerabilities, it needs to be upgraded to 5.7.30. So I would like to ask what the MySQL versions corresponding to the various TiDB versions are now.

2
| username: xfworld | Original post link

The version number can be changed at will :crazy_face:

Come on, change it at will

3
| username: Alan | Original post link

Thank you for your response, but will it continue to detect vulnerabilities after the changes?

4
| username: tidb菜鸟一只 | Original post link

Do you think changing the version will prevent vulnerabilities from being detected? :joy:

5
| username: Alan | Original post link

Yes, that’s exactly the question I wanted to ask, hahaha.

6
| username: 裤衩儿飞上天 | Original post link
  1. Don’t blindly trust vulnerability scans. Turn off external network access to the database, ensure the firewall (hardware in the data center, not the system firewall) is properly configured. You don’t need to worry about those vulnerability scans for the database unless you encounter a bug or have application requirements. Don’t upgrade a stable-running database lightly.
  2. Vulnerability scans are a scam. They just take the official vulnerability list, compare versions, and generate a report for the leadership. It’s not very useful.
7
| username: Alan | Original post link

The main issue is that the customer’s network security personnel conducted an evaluation and scan, and now the customer needs us to resolve it. :joy:

8
| username: Alan | Original post link

Hello, I would like to ask if the vulnerability will still be detected after changing the version number.

9
| username: xfworld | Original post link

Look at the red box part…

10
| username: Alan | Original post link

OK, thanks :call_me_hand:t2:

11
| username: Minorli-PingCAP | Original post link

Currently, domestic vulnerability scans do not (or rather, the vast majority do not) actually perform an intrusion to check if a vulnerability truly exists. They simply and crudely look at the version number and directly produce results based on the version number and the official CVE list. Therefore, changing the version number is feasible.

12
| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.