Multiple MySQL 5.5 and 5.6 vulnerabilities

Bug #1578370 reported by Adam Heczko on 2016-05-04
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
High
MOS Linux
5.1.x
High
MOS Maintenance
6.0.x
High
MOS Maintenance
6.1.x
High
MOS Maintenance
7.0.x
High
MOS Linux
8.0.x
High
MOS Linux
9.x
High
MOS Linux

Bug Description

==========================================================================
Ubuntu Security Notice USN-2953-1
April 21, 2016

mysql-5.5, mysql-5.6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in MySQL.

Software Description:
- mysql-5.6: MySQL database
- mysql-5.5: MySQL database

Details:

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.49 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
Ubuntu 15.10 has been updated to MySQL 5.6.30.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-48.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-49.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-29.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-30.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.10:
  mysql-server-5.6 5.6.30-0ubuntu0.15.10.1

Ubuntu 14.04 LTS:
  mysql-server-5.5 5.5.49-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
  mysql-server-5.5 5.5.49-0ubuntu0.12.04.1

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2953-1
  CVE-2016-0639, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642,
  CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647,
  CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0655,
  CVE-2016-0661, CVE-2016-0665, CVE-2016-0666, CVE-2016-0668,
  CVE-2016-2047

Package Information:
  https://launchpad.net/ubuntu/+source/mysql-5.6/5.6.30-0ubuntu0.15.10.1
  https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.49-0ubuntu0.14.04.1
  https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.49-0ubuntu0.12.04.1

Changed in mos:
assignee: nobody → MOS Maintenance (mos-maintenance)
Changed in mos:
status: New → Confirmed
Denis Meltsaykin (dmeltsaykin) wrote :

Reassigning the bug to the MOS-Linux team per a conversation with Oleksandr Mogylchenko.

Changed in mos:
assignee: MOS Maintenance (mos-maintenance) → MOS Linux (mos-linux)
Anton Matveev (amatveev) wrote :

sla1 for MOS 7.0

tags: added: customer-found sla1

Related fix proposed to branch: master
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/21933

Change abandoned by Ivan Suzdal <email address hidden> on branch: master
Review: https://review.fuel-infra.org/21933

Related fix proposed to branch: master
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/21937

tags: added: feature-security

Related fix proposed to branch: 9.0
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/22980

Related fix proposed to branch: 9.0
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/22988

Change abandoned by Ivan Suzdal <email address hidden> on branch: master
Review: https://review.fuel-infra.org/21937

Change abandoned by Ivan Suzdal <email address hidden> on branch: 9.0
Review: https://review.fuel-infra.org/22980

Related fix proposed to branch: 7.0
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/23145

Related fix proposed to branch: 8.0
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/23178

Reviewed: https://review.fuel-infra.org/23145
Submitter: Pkgs Jenkins <email address hidden>
Branch: 7.0

Commit: afa0945f8acb12835a81383ef3f32369328796a8
Author: Ivan Suzdal <email address hidden>
Date: Mon Jul 11 13:40:54 2016

Security update:

  * Update to 5.6.30 to fix security issues (LP: #1572559)
    - http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
    - http://www.ubuntu.com/usn/usn-2953-1
    - CVE-2016-0639
    - CVE-2016-0640
    - CVE-2016-0641
    - CVE-2016-0642
    - CVE-2016-0643
    - CVE-2016-0644
    - CVE-2016-0646
    - CVE-2016-0647
    - CVE-2016-0648
    - CVE-2016-0649
    - CVE-2016-0650
    - CVE-2016-0655
    - CVE-2016-0661
    - CVE-2016-0665
    - CVE-2016-0666
    - CVE-2016-0668
    - CVE-2016-2047

Sourced from https://github.com/codership/mysql-wsrep/tree/wsrep_5.6.30-25.15

(cherry picked from 6e960091521d83e66c9fcc4acb0d2045110511b4)

Change-Id: I1923a2a227c3fee1e07924e84faa358be6ea608f
Related-Bug: #1578370

Reviewed: https://review.fuel-infra.org/22988
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: 6e960091521d83e66c9fcc4acb0d2045110511b4
Author: Ivan Suzdal <email address hidden>
Date: Fri Jul 8 17:39:21 2016

Security update:

  * Update to 5.6.30 to fix security issues (LP: #1572559)
    - http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
    - http://www.ubuntu.com/usn/usn-2953-1
    - CVE-2016-0639
    - CVE-2016-0640
    - CVE-2016-0641
    - CVE-2016-0642
    - CVE-2016-0643
    - CVE-2016-0644
    - CVE-2016-0646
    - CVE-2016-0647
    - CVE-2016-0648
    - CVE-2016-0649
    - CVE-2016-0650
    - CVE-2016-0655
    - CVE-2016-0661
    - CVE-2016-0665
    - CVE-2016-0666
    - CVE-2016-0668
    - CVE-2016-2047

Sourced from https://github.com/codership/mysql-wsrep/tree/wsrep_5.6.30-25.15

Change-Id: I1923a2a227c3fee1e07924e84faa358be6ea608f
Related-Bug: #1578370

Reviewed: https://review.fuel-infra.org/23178
Submitter: Pkgs Jenkins <email address hidden>
Branch: 8.0

Commit: 58e53bfff47aa851048400423c4c23c07bceff18
Author: Ivan Suzdal <email address hidden>
Date: Tue Jul 12 12:39:32 2016

Security update:

  * Update to 5.6.30 to fix security issues (LP: #1572559)
    - http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
    - http://www.ubuntu.com/usn/usn-2953-1
    - CVE-2016-0639
    - CVE-2016-0640
    - CVE-2016-0641
    - CVE-2016-0642
    - CVE-2016-0643
    - CVE-2016-0644
    - CVE-2016-0646
    - CVE-2016-0647
    - CVE-2016-0648
    - CVE-2016-0649
    - CVE-2016-0650
    - CVE-2016-0655
    - CVE-2016-0661
    - CVE-2016-0665
    - CVE-2016-0666
    - CVE-2016-0668
    - CVE-2016-2047

Sourced from https://github.com/codership/mysql-wsrep/tree/wsrep_5.6.30-25.15

Change-Id: I1923a2a227c3fee1e07924e84faa358be6ea608f
Related-Bug: #1578370

Verified on MOS 7.0 + MU5 updates.

Mysql packages were installed successfully during deployment of 7.0 with MU5 updates:
root@node-8:~# dpkg -l | grep mysql | grep 5.6.30
ii mysql-client-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database client binaries
ii mysql-client-core-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database core client binaries
ii mysql-server-wsrep-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database server binaries and system database setup
ii mysql-server-wsrep-core-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database server binaries
ii mysql-wsrep-common-5.6 5.6.30-0~u14.04+mos1 all MySQL 5.6 specific common files, e.g. /etc/mysql/conf.d/my-5.6.cnf

Verified on MOS 8.0 + MU3 updates.

Mysql packages were installed successfully during deployment of 8.0 with MU3 updates:
root@node-1:~# dpkg -l | grep mysql | grep 5.6.30
ii mysql-client-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database client binaries
ii mysql-client-core-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database core client binaries
ii mysql-server-wsrep-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database server binaries and system database setup
ii mysql-server-wsrep-core-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database server binaries
ii mysql-wsrep-common-5.6 5.6.30-0~u14.04+mos1 all MySQL 5.6 specific common files, e.g. /etc/mysql/conf.d/my-5.6.cnf

tags: added: on-verification
tags: removed: on-verification
Maksym Shalamov (mshalamov) wrote :

Verified on MOS 9.1(snapshot #207)

MySQL packages were installed successfully during deployment of 9.1:

root@node-1:~# dpkg -l | grep mysql | grep 5.6.30
ii mysql-client-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database client binaries
ii mysql-client-core-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database core client binaries
ii mysql-server-wsrep-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database server binaries and system database setup
ii mysql-server-wsrep-core-5.6 5.6.30-0~u14.04+mos1 amd64 MySQL database server binaries
ii mysql-wsrep-common-5.6 5.6.30-0~u14.04+mos1 all MySQL 5.6 specific common files, e.g. /etc/mysql/conf.d/my-5.6.cnf

tags: added: on-verification
Maksim Malchuk (mmalchuk) wrote :

https://review.fuel-infra.org/#/c/26325/
reverted because of LP#1620268 and LP#1621448

Roman Vyalov (r0mikiam) wrote :

the bug was moved to new for 9.1 because of LP#1620268 and LP#1621448. Also the new version of mysql was removed in the proposed repos

Ivan Suzdal (isuzdal) wrote :

Forgot to add 'Related-Bug' in https://review.fuel-infra.org/#/c/26542/ , sorry.
Version from this request contains all of these security patches.

Verified on MOS 9.2 snapshot #511.

MySQL packages were installed successfully during deployment of 9.2:

root@node-1:~# dpkg -l | grep mysql | grep 5.6.33
ii mysql-client-5.6 5.6.33-0~u14.04+mos3 amd64 MySQL database client binaries
ii mysql-client-core-5.6 5.6.33-0~u14.04+mos3 amd64 MySQL database core client binaries
ii mysql-server-wsrep-5.6 5.6.33-0~u14.04+mos3 amd64 MySQL database server binaries and system database setup
ii mysql-server-wsrep-core-5.6 5.6.33-0~u14.04+mos3 amd64 MySQL database server binaries
ii mysql-wsrep-common-5.6 5.6.33-0~u14.04+mos3 all MySQL 5.6 specific common files, e.g. /etc/mysql/conf.d/my-5.6.cnf

tags: removed: on-verification
Alexey Stupnikov (astupnikov) wrote :

We no longer support MOS 5.1 and MOS 6.0. Moving bug to 'Won't Fix' for those milestones.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers