MariaDB itself is NOT affected by the DROWN vulnerability

Recently a serious vulnerability called DROWN was found. The vulnerability exists in systems that support SSLv2. There is flaw in SSLv2 that could be used to decrypt information over newer SSL protocols such as TLS. More information about the DROWN vulnerability with CVE number CVE-2016-0800 can be found here:

Last December Sergei Golubchik wrote a blog post about The State of SSL in MariaDB, which explains what versions of SSL cryptography is used in which MariaDB version and what is inherited from MySQL. Read more

The State of SSL in MariaDB

Usually when one says “SSL” or “TLS” it means not a specific protocol but a family of protocols. Wikipedia article has the details, but in short — SSL 2.0 and SSL 3.0 are deprecated and should not be used anymore (the well-known POODLE vulnerability exploits the flaw in SSL 3.0). TLS 1.0 is sixteen years old and while it’s still being used, new security standards (for example PCI DSS v3.1) require TLS 1.1 or, preferably, TLS 1.2.

MySQL used to support TLS 1.0 since 2001. Which means MariaDB supported it from the day one, and never supported weaker SSL 2.0 or SSL 3.0. Read more