Ubuntu
mariadb-5.5 package

USN-3537-2: partially applies to MariaDB too

Bug #1751920 reported by Otto Kekäläinen
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Fix Released
Medium
Otto Kekäläinen
mariadb-10.1 (Ubuntu)
Fix Released
Medium
Otto Kekäläinen
mariadb-5.5 (Ubuntu)
Fix Released
Medium
Otto Kekäläinen

Bug Description

https://usn.ubuntu.com/usn/usn-3537-2/

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb-5.5 in Trusty
 - mariadb-10.0 in Xenial
 - mariadb-10.1 in Artful

See original description
Otto Kekäläinen (otto)
information type: Public → Public Security
Otto Kekäläinen (otto)
description: updated
Changed in mariadb-10.0 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Changed in mariadb-10.1 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Changed in mariadb-5.5 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at https://salsa.debian.org/mariadb-team/mariadb-5.5

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

As a reminder, full diffs can be browsed directly at https://salsa.debian.org/mariadb-team/mariadb-5.5/compare/ubuntu%2F5.5.58-1ubuntu0.14.04.1...ubuntu%2F5.5.59-1ubuntu0.14.04.1 and a debdiff can be generated in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.0 series update for 16.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.0

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

As a reminder, full diffs can be browsed directly at https://salsa.debian.org/mariadb-team/mariadb-10.0/compare/ubuntu%2F10.0.33-0ubuntu0.16.04.1...ubuntu%2F10.0.34-0ubuntu0.16.04.1 and a debdiff can be generated in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Mathew Hodson (mhodson)
Changed in mariadb-10.0 (Ubuntu):
importance: Undecided → Medium
Changed in mariadb-10.1 (Ubuntu):
importance: Undecided → Medium
Changed in mariadb-5.5 (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.59-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.59-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.59. Includes fixes for
    the following security vulnerabilities (LP: #1751920):
    - CVE-2018-2668
    - CVE-2018-2665
    - CVE-2018-2640
    - CVE-2018-2622
    - CVE-2018-2562
  * Update metadata and point VCS-* links to the new source repository

 -- Otto Kekäläinen <email address hidden> Mon, 26 Feb 2018 17:21:12 -0500

Changed in mariadb-5.5 (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.34-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.34-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.34. Includes fixes for
    the following security vulnerabilities (LP: #1751920):
    - CVE-2018-2668
    - CVE-2018-2665
    - CVE-2018-2640
    - CVE-2018-2622
    - CVE-2018-2612
    - CVE-2018-2562
  * Update git-buildpackage Debian branch setting so gbp import-orig works
  * Update VCS-* links to point to the new source repository

 -- Otto Kekäläinen <email address hidden> Mon, 26 Feb 2018 18:07:48 -0500

Changed in mariadb-10.0 (Ubuntu):
status: New → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Unsubscribing the Security Sponsors Team for now because there's nothing to sponsor for 10.1 yet. Please resubscribe us once you have the Artful debdiff.

Thank you.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Setting mariadb-10.1 to 'Fix Released' as Bionic (1:10.1.34-0ubuntu0.18.04.1) and newer releases already contain the fixes for those CVEs.

Changed in mariadb-10.1 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.