CVE-2015-3152: MySQL SSL/TLS downgrade vulnerability

Bug #1464895 reported by Otto Kekäläinen on 2015-06-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Undecided
Unassigned
mariadb-5.5 (Ubuntu)
Undecided
Unassigned

Bug Description

For details see http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3152.html

Latest MariaDB release 5.5.44 fixes this.

From https://mariadb.com/kb/en/mariadb/mariadb-5544-release-notes/:

  Client command line option --ssl-verify-server-cert (and MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used together with --ssl will ensure that the established connection is SSL-encrypted and the MariaDB server has a valid certificate. This fixes CVE-2015-3152.

I am now preparing an security release for Ubuntu 14.04 and 14.10.

Otto Kekäläinen (otto) on 2015-06-13
description: updated
Otto Kekäläinen (otto) wrote :

For complete pristine-tar/git-buildpackage history see https://github.com/ottok/mariadb-5.5/tree/ubuntu-14.04

The attached debdiff is produced by running
 mariadb-5.5$ git diff ubuntu/5.5.43-1ubuntu0.14.04.2 ubuntu-14.04 debian/ > 5.5.44-1ubuntu0.14.04.2.diff

Apply this debdiff on top of the current 5.5.43 package in Ubuntu 14.04 and for the non debian/* stuff, get the upstream mariadb-5.5.44.tar.gz package from MariaDB.org (use uscan with pgp signature checking, the package supports it).

Otto Kekäläinen (otto) wrote :

For complete pristine-tar/git-buildpackage history see https://github.com/ottok/mariadb-5.5/tree/ubuntu-14.10

The attached debdiff is produced by running
 mariadb-5.5$ git diff ubuntu/5.5.43-1ubuntu0.14.10.1 ubuntu-14.10 debian/ > 5.5.44-1ubuntu0.14.10.1.diff

Apply this debdiff on top of the current 5.5.43 package in Ubuntu 14.10 and for the non debian/* stuff, get the upstream mariadb-5.5.44.tar.gz package from MariaDB.org (use uscan with pgp signature checking, the package supports it).

Otto Kekäläinen (otto) wrote :

Successful builds (including test suite) visible at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all for Trusty and Utopic.

I have not had time yet to test actual installation or upgrade. Does your upload queue contain piuparts automation or similar?

Otto Kekäläinen (otto) on 2015-06-15
summary: - CVE-2015-3152: MySQL SSL/TLS downgrade downgrade vulnerability
+ CVE-2015-3152: MySQL SSL/TLS downgrade vulnerability
Seth Arnold (seth-arnold) wrote :

We don't have piuparts in our update process.

For main packages, we use our "QRT" tests; for universe packages, we rely upon the submitters to perform testing.

I'm a little worried about making --ssl "mean something" -- MySQL apparently had a regression on RHEL/Centos due to weakdh-inspired DH changes in openssl: http://bugs.mysql.com/bug.php?id=77275 -- it'd be worth testing that this still works after applying http://www.ubuntu.com/usn/usn-2639-1/

Thanks

Seth Arnold (seth-arnold) wrote :

I'm uploading the packages to our ppa; I made one small change to the trusty changelog version, to 5.5.44-1ubuntu0.14.04.1 rather than .2.

Thanks Otto!

Otto Kekäläinen (otto) wrote :

I tested quickly running upgrade on a Trusty machine with ppa:mysql-ubuntu/mariadb enabled and everything went fine. This is the most critical use case. I have unfortunately not time nor an automatic system to more extensive testing for now.

$ sudo add-apt-repository ppa:mysql-ubuntu/mariadb
$ apt-get update
$ apt-get upgrade
$ service mysql status
 * /usr/bin/mysqladmin Ver 9.0 Distrib 5.5.44-MariaDB, for debian-linux-gnu on x86_64
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Server version 5.5.44-MariaDB-1ubuntu0.14.04.2~trusty1~1434224940
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 55 sec

Seth Arnold (seth-arnold) wrote :

Otto, what do you think? I'm inclined to release these updates as-is: you've smoke-tested an upgrade, the build tests are impressive, and these updates have historically been pretty good. Is there any reason to hold back an update any longer?

Thanks

Otto Kekäläinen (otto) wrote :

Yeah, go ahead and upload

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.44-1ubuntu0.14.10.1

---------------
mariadb-5.5 (5.5.44-1ubuntu0.14.10.1) utopic-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.44 to fix security issues (LP: #1464895):
    - CVE-2015-3152
  * Upstream also includes lots of line ending changes (from CRLF -> LF)
  * Removed hotfix patch now included in upstream release (MDEV-8115)

 -- Otto Kekaelaeinen <email address hidden> Sat, 13 Jun 2015 21:09:48 +0300

Changed in mariadb-5.5 (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.44-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.44-1ubuntu0.14.04.1) trusty-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.44 to fix security issues (LP: #1464895):
    - CVE-2015-3152
  * Upstream also includes lots of line ending changes (from CRLF -> LF)
  * Removed hotfix patch now included in upstream release (MDEV-8115)

 -- Otto Kekaelaeinen <email address hidden> Sat, 13 Jun 2015 21:09:48 +0300

Changed in mariadb-5.5 (Ubuntu):
status: New → Fix Released
Seth Arnold (seth-arnold) wrote :

Excellent, thanks again Otto!

Otto Kekäläinen (otto) on 2015-06-21
information type: Private Security → Public
Otto Kekäläinen (otto) wrote :

The debdiff for 10.0.20 is attached to https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1451677 and uploading 10.0.20 will close both that and this issue.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.20-0ubuntu0.15.04.1

---------------
mariadb-10.0 (10.0.20-0ubuntu0.15.04.1) vivid-security; urgency=low

  * SECURITY UPDATE: Update to 10.0.20 (via .18 and .19) fixes security issues:
    - CVE-2015-3152: Client command line option --ssl-verify-server-cert (and
      MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used
      together with --ssl will ensure that the established connection is
      SSL-encrypted and the MariaDB server has a valid certificate.
      (LP: #1464895)
    - CVE-2014-8964: bundled PCRE contained heap-based buffer overflow
      vulnerability that allowed the server to crash or have other unspecified
      impact via a crafted regular expression made possible with the
      REGEXP_SUBSTR function (MDEV-8006).
    - CVE-2015-0501
    - CVE-2015-2571
    - CVE-2015-0505
    - CVE-2015-0499
    (LP: #1451677)
  * New release includes fix for memory corruption on arm64 (LP: #1427406)
  * Upstream also includes lots of line ending changes (from CRLF -> LF)

 -- Otto Kekäläinen <email address hidden> Fri, 03 Jul 2015 17:39:42 +0300

Changed in mariadb-10.0 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.