USN-3269-1: partially applies to MariaDB too

Bug #1698689 reported by Otto Kekäläinen
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Won't Fix
Undecided
Unassigned
mariadb-10.1 (Ubuntu)
Fix Released
Undecided
Unassigned
Zesty
Fix Released
Undecided
Unassigned
Artful
Fix Released
Undecided
Unassigned
mariadb-5.5 (Ubuntu)
Trusty
Fix Released
Undecided
Steve Beattie

Bug Description

https://www.ubuntu.com/usn/usn-3269-1/

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb.5.5 in Trusty
 - mariadb-10.0 in Xenial and Yakkety
 - mariadb-10.1 in Zesty (Artful can sync from Debian)

Otto Kekäläinen (otto)
summary: - USN-3269-1: partially applies to MariaDB too Edit
+ USN-3269-1: partially applies to MariaDB too
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?h=ubuntu-14.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.0 series update for 16.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/log/?h=ubuntu-16.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

As a reminder, debdiffs can be browsed directly from the repo like this:
https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/diff/debian/?id=ubuntu/10.0.31-0ubuntu0.16.04.1&id2=ubuntu/10.0.29-0ubuntu0.16.04.1

Or in a local clone with 'git diff <tag1>..<tag2> debian/'

Revision history for this message
Otto Kekäläinen (otto) wrote :

The same for 16.10 will be pushed in a few hours.

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Revision history for this message
Otto Kekäläinen (otto) wrote :

I forgot about this original report and created a duplicate at https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1698689

Anyway, MariaDB security uploads have been prepared for a security sponsor to upload (or to mentor me on how to do it if I can do it myself).

Revision history for this message
Steve Beattie (sbeattie) wrote :

Otto, thanks for these. I'm working on sponsoring them now.

Changed in mariadb-10.0 (Ubuntu):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hello,

I've gone ahead and pushed the pacakges to the ubuntu-security-proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa) for people to test. It should be noted that this ppa is for testing purposes only and should not be left enabled.

Also, both mariadb-10.0 packages FTBFS on powerpc, the build logs can be seen at:

  https://launchpadlibrarian.net/325315588/buildlog_ubuntu-yakkety-powerpc.mariadb-10.0_10.0.31-0ubuntu0.16.10.1_BUILDING.txt.gz
  https://launchpadlibrarian.net/325316886/buildlog_ubuntu-xenial-powerpc.mariadb-10.0_10.0.31-0ubuntu0.16.04.1_BUILDING.txt.gz

Both fail in the same way:

  In file included from /<<PKGBUILDDIR>>/storage/innobase/lock/lock0wait.cc:29:0:
  /<<PKGBUILDDIR>>/storage/innobase/include/srv0mon.h:621:8: error: ‘ib_mutex_t’ does not name a type
   extern ib_mutex_t monitor_mutex;
          ^

that looks very similar to https://jira.mariadb.org/browse/MDEV-13009 (aka https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864298).

Also, Otto, will we be preparing mariadb-10.1 packages for zesty?

Thanks again.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Hello!

I will look into the powerpc issue. Unfortunately I it is not possible to enable powerpc at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/ so I didn't have a chance to see this failing earlier.

I will also work on the 10.1 upload, but I consider the updates to 14.04 and 16.04 LTS more urgent.

Steve Beattie (sbeattie)
Changed in mariadb-5.5 (Ubuntu):
status: New → In Progress
no longer affects: mariadb-10.0 (Ubuntu Trusty)
Changed in mariadb-5.5 (Ubuntu):
status: In Progress → Invalid
Changed in mariadb-5.5 (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
no longer affects: mariadb-5.5 (Ubuntu Xenial)
no longer affects: mariadb-5.5 (Ubuntu Yakkety)
no longer affects: mariadb-5.5 (Ubuntu Zesty)
no longer affects: mariadb-10.0 (Ubuntu Zesty)
no longer affects: mariadb-5.5 (Ubuntu Artful)
no longer affects: mariadb-5.5 (Ubuntu Zesty)
no longer affects: mariadb-10.0 (Ubuntu Zesty)
no longer affects: mariadb-10.0 (Ubuntu Artful)
Changed in mariadb-10.0 (Ubuntu Xenial):
status: New → In Progress
Changed in mariadb-10.0 (Ubuntu Yakkety):
status: New → In Progress
Changed in mariadb-10.0 (Ubuntu):
status: In Progress → Invalid
assignee: Steve Beattie (sbeattie) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.56-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.56-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.56. Includes fixes made
    in release 5.5.55 for the following security vulnerabilities
    (LP: #1698689):
    - CVE-2017-3464
    - CVE-2017-3456
    - CVE-2017-3453
    - CVE-2017-3313
    - CVE-2017-3309
    - CVE-2017-3308
    - CVE-2017-3302

 -- Otto Kekäläinen <email address hidden> Sun, 18 Jun 2017 23:04:24 +0200

Changed in mariadb-5.5 (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Otto Kekäläinen (otto) wrote :

Steve,

The 10.0 series update for 16.04 with the powerpc fix is now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/log/?h=ubuntu-16.04

The patch to fix powerpc has been made with best effort, but we didn't actually have access to a powerpc machine to test if it works. Please run a new build and let us know the result.

If you confirm this works for powerpc I'll update the 16.10 branch as well.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Otto - I've reviewed the 16.04 changes and they looked fine so I uploaded them to the ubuntu-security-proposed PPA:

  https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please keep an eye on whether or not the powerpc build succeeds. Note that I had to bump the version number so that it would supersede the version that FTBFS on powerpc in the PPA.

Thanks!

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Otto - I wanted to point out that mariadb-10.0 10.0.31-0ubuntu0.16.04.2 successfully built on all Xenial architectures.

Revision history for this message
Otto Kekäläinen (otto) wrote :
Revision history for this message
Otto Kekäläinen (otto) wrote :
Revision history for this message
Otto Kekäläinen (otto) wrote :

Disk space was increased, test builds all green at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Tag ubuntu/10.1.25-0ubuntu0.17.04.1 is ready for upload.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Ping. Pending 10.1.25-0ubuntu0.17.04.1 to be uploaded by sponsor.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Ping again..

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks Otto! The 17.04 upload looks good to me and I've sponsored it into ppa:ubuntu-security-proposed/ppa. I should be able to release it later today.

Unfortunately, 16.10 went EoL before we got around to sponsoring your mariadb-10.0 update. I'll release the corresponding 16.04 update later today.

Changed in mariadb-10.0 (Ubuntu Xenial):
status: In Progress → Confirmed
Changed in mariadb-10.0 (Ubuntu Yakkety):
status: In Progress → Won't Fix
Changed in mariadb-10.1 (Ubuntu Zesty):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.31-0ubuntu0.16.04.2

---------------
mariadb-10.0 (10.0.31-0ubuntu0.16.04.2) xenial-security; urgency=high

  [ Otto Kekäläinen ]
  * SECURITY UPDATE: New upstream release 10.0.31. Includes fixes for the
    following security vulnerabilities (LP: #1698689):
    - CVE-2017-3464
    - CVE-2017-3456
    - CVE-2017-3453
    - CVE-2017-3309
    - CVE-2017-3308
  * Previous release 10.0.30 included included fixes for
    the following security vulnerabilities:
    - CVE-2017-3313
    - CVE-2017-3302
  * Includes upstream fix for Debian log rotate to not rotate binary/relay
    logs (MDEV-11610).

  [ Vicențiu Ciorbaru ]
  * Add patch that fixes upstream regression in 10.0.31 which made builds
    on powerpc fail (‘ib_mutex_t’ does not name a type).

 -- Otto Kekäläinen <email address hidden> Wed, 28 Jun 2017 22:12:03 +0300

Changed in mariadb-10.0 (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.1 - 10.1.25-0ubuntu0.17.04.1

---------------
mariadb-10.1 (10.1.25-0ubuntu0.17.04.1) zesty-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.1.25 (LP: #1698689)
    - Drop wsrep patches already applied upstream
    - Drop MIPS patches that no longer apply cleanly and which
       are not relevant for Ubuntu anyway
    - Add cracklib-runtime to Build-Depends (MDEV-13288)
  * Previous release 10.1.23 included included fixes for
    the following security vulnerabilities:
    - CVE-2017-3464
    - CVE-2017-3456
    - CVE-2017-3453
    - CVE-2017-3309
    - CVE-2017-3308
  * Previous release 10.1.22 included included fixes for
    - CVE-2017-3313
    - CVE-2017-3302

 -- Otto Kekäläinen <email address hidden> Mon, 10 Jul 2017 21:44:13 +0300

Changed in mariadb-10.1 (Ubuntu Zesty):
status: Confirmed → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Unsubscribing ubuntu-security-sponsors since all that's left is artful dev release and we're not needed for that.

Changed in mariadb-10.1 (Ubuntu Artful):
status: New → Fix Released
Mathew Hodson (mhodson)
no longer affects: mariadb-5.5 (Ubuntu)
no longer affects: mariadb-10.0 (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.