USN-2881-1: MySQL vulnerabilities also apply to MariaDB

Bug #1538315 reported by Otto Kekäläinen on 2016-01-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Medium
Unassigned
Vivid
Medium
Steve Beattie
Wily
Medium
Steve Beattie

Bug Description

The mentioned security notice also affect MariaDB and the latest release includes fixes.

For trusty I already did mariadb-5.5.47 on December 10th:
https://bugs.launchpad.net/ubuntu/+source/mariadb-5.5/+bug/1524704

Nobody uploaded it despite that it is a point release with MRE granted. Can you
upload it now?

For wily and vivid I'll prepare mariadb-10.0 version 10.0.23 now and attach as patches to this bug report.

Xenial already got 10.0.23 automatically from Debian testing/sid.

Otto Kekäläinen (otto) wrote :

Use uscan to get new upstream sources downloaded and signature verified automatically.

Remove the upstream provided debian/ directory and add the debian/* contents from the latest Ubuntu package.

Then apply the attached debdiff that updates the changelog and refreshes patches to match new upstream release.

Debdiff was created with command "git diff ubuntu/10.0.22-0ubuntu0.15.04.1..HEAD debian/ > 10.0.22-0ubuntu0.15.04.1..10.0.23-0ubuntu0.15.04.1.debdiff" in the official Debian packaging repository, branch ubuntu-15.04: http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/log/?h=ubuntu-15.04

As the MariaDB version in vivid and wily is identical, this same patch can basically be applied on both (just adjust the release name).

Please check the excellent Debian CVE trackers for details about which CVE applies to which package. Note in particular that MariaDB 10.0.23 has this fixed but it still goes unfixed in MySQL releases: https://security-tracker.debian.org/tracker/CVE-2016-2047

Otto Kekäläinen (otto) on 2016-01-26
information type: Private Security → Public Security
Changed in mariadb-10.0 (Ubuntu):
importance: Undecided → Medium
Otto Kekäläinen (otto) wrote :

Note that http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/?h=ubuntu-15.04 is maintained with git-buildpackage and the repository includes the pristine-tar data, so you can also extract both the upstream and debian packaging from this one single repository if you want. It would be maybe less work and less error prone than duing the uscan+debdiff routine.

Steve Beattie (sbeattie) wrote :

Thanks for preparing this.

Changed in mariadb-10.0 (Ubuntu):
status: New → Fix Released
Changed in mariadb-10.0 (Ubuntu Vivid):
assignee: nobody → Steve Beattie (sbeattie)
importance: Undecided → Medium
status: New → In Progress
Changed in mariadb-10.0 (Ubuntu Wily):
assignee: nobody → Steve Beattie (sbeattie)
importance: Undecided → Medium
status: New → In Progress
Steve Beattie (sbeattie) wrote :

I've uploaded your mariadb-10.0 packages to the ubuntu-security-proposed ppa ( https://bugs.launchpad.net/ubuntu/wily/+source/mariadb-10.0/+bug/1538315 ) and will release these (barring some unforeseen issue discovered when reviewing the builds) early next week. Thanks!

Steve Beattie (sbeattie) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.23-0ubuntu0.15.10.1

---------------
mariadb-10.0 (10.0.23-0ubuntu0.15.10.1) wily-security; urgency=low

  * SECURITY UPDATE: Update to 10.0.23 fixes security issues (LP: #1538315):
    - CVE-2016-2047
    - CVE-2016-0616
    - CVE-2016-0609
    - CVE-2016-0608
    - CVE-2016-0606
    - CVE-2016-0600
    - CVE-2016-0598
    - CVE-2016-0597
    - CVE-2016-0596
    - CVE-2016-0546
    - CVE-2016-0505
  * Update TokuDB plugin install and copyright paths to match latest
    release done under Percona ownership

 -- Otto Kekäläinen <email address hidden> Tue, 26 Jan 2016 23:59:51 +0200

Changed in mariadb-10.0 (Ubuntu Wily):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.23-0ubuntu0.15.04.1

---------------
mariadb-10.0 (10.0.23-0ubuntu0.15.04.1) vivid-security; urgency=low

  * SECURITY UPDATE: Update to 10.0.23 fixes security issues (LP: #1538315):
    - CVE-2016-2047
    - CVE-2016-0616
    - CVE-2016-0609
    - CVE-2016-0608
    - CVE-2016-0606
    - CVE-2016-0600
    - CVE-2016-0598
    - CVE-2016-0597
    - CVE-2016-0596
    - CVE-2016-0546
    - CVE-2016-0505
  * Update TokuDB plugin install and copyright paths to match latest
    release done under Percona ownership

 -- Otto Kekäläinen <email address hidden> Tue, 26 Jan 2016 23:59:51 +0200

Changed in mariadb-10.0 (Ubuntu Vivid):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers