CVE-2015-3152: MySQL SSL/TLS downgrade vulnerability

For complete pristine-tar/git-buildpackage history see https://github.com/ottok/mariadb-5.5/tree/ubuntu-14.04

The attached debdiff is produced by running
 mariadb-5.5$ git diff ubuntu/5.5.43-1ubuntu0.14.04.2 ubuntu-14.04 debian/ > 5.5.44-1ubuntu0.14.04.2.diff

Apply this debdiff on top of the current 5.5.43 package in Ubuntu 14.04 and for the non debian/* stuff, get the upstream mariadb-5.5.44.tar.gz package from MariaDB.org (use uscan with pgp signature checking, the package supports it).

For complete pristine-tar/git-buildpackage history see https://github.com/ottok/mariadb-5.5/tree/ubuntu-14.10

The attached debdiff is produced by running
 mariadb-5.5$ git diff ubuntu/5.5.43-1ubuntu0.14.10.1 ubuntu-14.10 debian/ > 5.5.44-1ubuntu0.14.10.1.diff

Apply this debdiff on top of the current 5.5.43 package in Ubuntu 14.10 and for the non debian/* stuff, get the upstream mariadb-5.5.44.tar.gz package from MariaDB.org (use uscan with pgp signature checking, the package supports it).

Successful builds (including test suite) visible at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all for Trusty and Utopic.

I have not had time yet to test actual installation or upgrade. Does your upload queue contain piuparts automation or similar?

We don't have piuparts in our update process.

For main packages, we use our "QRT" tests; for universe packages, we rely upon the submitters to perform testing.

I'm a little worried about making --ssl "mean something" -- MySQL apparently had a regression on RHEL/Centos due to weakdh-inspired DH changes in openssl: http://bugs.mysql.com/bug.php?id=77275 -- it'd be worth testing that this still works after applying http://www.ubuntu.com/usn/usn-2639-1/

Thanks

I'm uploading the packages to our ppa; I made one small change to the trusty changelog version, to 5.5.44-1ubuntu0.14.04.1 rather than .2.

Thanks Otto!

I tested quickly running upgrade on a Trusty machine with ppa:mysql-ubuntu/mariadb enabled and everything went fine. This is the most critical use case. I have unfortunately not time nor an automatic system to more extensive testing for now.

$ sudo add-apt-repository ppa:mysql-ubuntu/mariadb
$ apt-get update
$ apt-get upgrade
$ service mysql status
 * /usr/bin/mysqladmin Ver 9.0 Distrib 5.5.44-MariaDB, for debian-linux-gnu on x86_64
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Server version 5.5.44-MariaDB-1ubuntu0.14.04.2~trusty1~1434224940
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 55 sec

Otto, what do you think? I'm inclined to release these updates as-is: you've smoke-tested an upgrade, the build tests are impressive, and these updates have historically been pretty good. Is there any reason to hold back an update any longer?

Thanks

Yeah, go ahead and upload

This bug was fixed in the package mariadb-5.5 - 5.5.44-1ubuntu0.14.10.1

---------------
mariadb-5.5 (5.5.44-1ubuntu0.14.10.1) utopic-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.44 to fix security issues (LP: #1464895):
    - CVE-2015-3152
  * Upstream also includes lots of line ending changes (from CRLF -> LF)
  * Removed hotfix patch now included in upstream release (MDEV-8115)

 -- Otto Kekaelaeinen <email address hidden> Sat, 13 Jun 2015 21:09:48 +0300

This bug was fixed in the package mariadb-5.5 - 5.5.44-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.44-1ubuntu0.14.04.1) trusty-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.44 to fix security issues (LP: #1464895):
    - CVE-2015-3152
  * Upstream also includes lots of line ending changes (from CRLF -> LF)
  * Removed hotfix patch now included in upstream release (MDEV-8115)

 -- Otto Kekaelaeinen <email address hidden> Sat, 13 Jun 2015 21:09:48 +0300

Excellent, thanks again Otto!

The debdiff for 10.0.20 is attached to https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1451677 and uploading 10.0.20 will close both that and this issue.

This bug was fixed in the package mariadb-10.0 - 10.0.20-0ubuntu0.15.04.1

---------------
mariadb-10.0 (10.0.20-0ubuntu0.15.04.1) vivid-security; urgency=low

  * SECURITY UPDATE: Update to 10.0.20 (via .18 and .19) fixes security issues:
    - CVE-2015-3152: Client command line option --ssl-verify-server-cert (and
      MYSQL_OPT_SSL_VERIFY_SERVER_CERT option of the client API) when used
      together with --ssl will ensure that the established connection is
      SSL-encrypted and the MariaDB server has a valid certificate.
      (LP: #1464895)
    - CVE-2014-8964: bundled PCRE contained heap-based buffer overflow
      vulnerability that allowed the server to crash or have other unspecified
      impact via a crafted regular expression made possible with the
      REGEXP_SUBSTR function (MDEV-8006).
    - CVE-2015-0501
    - CVE-2015-2571
    - CVE-2015-0505
    - CVE-2015-0499
    (LP: #1451677)
  * New release includes fix for memory corruption on arm64 (LP: #1427406)
  * Upstream also includes lots of line ending changes (from CRLF -> LF)

 -- Otto Kekäläinen <email address hidden> Fri, 03 Jul 2015 17:39:42 +0300