USN-2953-1: MySQL vulnerabilities partially applies to MariaDB too

Bug #1589302 reported by Otto Kekäläinen on 2016-06-05
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Debian)
Fix Released
Unknown
mariadb-10.0 (Ubuntu)
Medium
Otto Kekäläinen
Wily
Medium
Unassigned
Xenial
Medium
Unassigned
Yakkety
Medium
Unassigned

Bug Description

The mentioned security notice also affect MariaDB and the latest release includes fixes.

I will produce a security release and upload it as a patch to this bug report.

Otto Kekäläinen (otto) wrote :

Series 5.5 was already fixed and uploaded in https://bugs.launchpad.net/ubuntu/+source/mariadb-5.5/+bug/1573761

Series 10.0 has not been updated yet.

Otto Kekäläinen (otto) on 2016-06-07
information type: Private Security → Public Security
Otto Kekäläinen (otto) wrote :

10.0 series updates for 16.04 and 15.10 are now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 and ubuntu-15.10 branches at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds finished successfully at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

MariaDB 10.0.25 has already been uploaded to Debian unstable and Debian Jessie without regressions.

Changed in mariadb-10.0 (Ubuntu):
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :

ACK on the branches. Packages are building now with a slightly change version number and a better date. Once built, they will be released as security updates.

Thanks!

Changed in mariadb-10.0 (Ubuntu Wily):
status: New → Fix Committed
Changed in mariadb-10.0 (Ubuntu Xenial):
status: New → Fix Committed
Changed in mariadb-10.0 (Ubuntu Yakkety):
status: New → Confirmed
Changed in mariadb-10.0 (Ubuntu Wily):
importance: Undecided → Medium
Changed in mariadb-10.0 (Ubuntu Xenial):
importance: Undecided → Medium
Otto Kekäläinen (otto) wrote :

Where can I see the builds? Not at least here yet: https://launchpad.net/ubuntu/+source/mariadb-10.0/+publishinghistory

I'll update the git branches to match what is actually in the Ubuntu archives once I see the final source you used for the xenial and wily builds.

Yakkety can be updated by simply syncing from Debian unstable. It has a delta about Boost 1.6 compatibility but that has been fixed in Debian and the delta can be dropped.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.25-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.25-0ubuntu0.16.04.1) xenial-security; urgency=low

  * SECURITY UPDATE: New upstream release 10.0.25. Includes fixes for the
    following security vulnerabilities (LP: #1589302):
    - CVE-2016-0666
    - CVE-2016-0655
    - CVE-2016-0648
    - CVE-2016-0647
    - CVE-2016-0643
  * Includes fixes done in 10.0.24 for the following security vulnerabilities:
    - CVE-2016-0668
    - CVE-2016-0650
    - CVE-2016-0649
    - CVE-2016-0646
    - CVE-2016-0644
    - CVE-2016-0641
    - CVE-2016-0640
  * Updated old changelog entries to include new CVE identifiers.
  * Upstream included changes to logrotate script that supports systems that
    has multiple mysqld processes running (Closes: #810968).
  * Upstream included bugfix to mariadb-server-10.0 postinstall.
  * Update Maintainer in d/control to match Ubuntu conventions.

 -- Otto Kekäläinen <email address hidden> Wed, 08 Jun 2016 11:31:46 -0400

Changed in mariadb-10.0 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

I just published them now, you can see them at that link once the publisher runs. I have also synced Yakkety from Debian. Thanks!

Changed in mariadb-10.0 (Ubuntu Yakkety):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.25-0ubuntu0.15.10.1

---------------
mariadb-10.0 (10.0.25-0ubuntu0.15.10.1) wily-security; urgency=low

  * SECURITY UPDATE: New upstream release 10.0.25. Includes fixes for the
    following security vulnerabilities (LP: #1589302):
    - CVE-2016-0666
    - CVE-2016-0655
    - CVE-2016-0648
    - CVE-2016-0647
    - CVE-2016-0643
  * Includes fixes done in 10.0.24 for the following security vulnerabilities:
    - CVE-2016-0668
    - CVE-2016-0650
    - CVE-2016-0649
    - CVE-2016-0646
    - CVE-2016-0644
    - CVE-2016-0641
    - CVE-2016-0640
  * Updated old changelog entries to include new CVE identifiers.
  * Upstream included changes to logrotate script that supports systems that
    has multiple mysqld processes running.
  * Upstream included bugfix to mariadb-server-10.0 postinstall.

 -- Otto Kekäläinen <email address hidden> Tue, 07 Jun 2016 23:30:35 +0300

Changed in mariadb-10.0 (Ubuntu Wily):
status: Fix Committed → Fix Released
Otto Kekäläinen (otto) wrote :

Branch contents and tags now updated at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/ and match what was uploaded into Ubuntu.

Michael Hudson-Doyle (mwhudson) wrote :

This bug is Fix Released for yakkety now isn't it?

Mathew Hodson (mathew-hodson) wrote :

This bug was fixed in Yakkety

---------------
mariadb-10.0 (10.0.25-1) unstable; urgency=low

  [ Otto Kekäläinen ]
  * Revert previous changes tailored for Ubuntu 16.04 compatibility.
  * New upstream release 10.0.25. Includes fixes for the following
    security vulnerabilities (Closes: #823325):
    - CVE-2016-0666
    - CVE-2016-0655
    - CVE-2016-0648
    - CVE-2016-0647
    - CVE-2016-0643
  * Updated old changelog entries to include new CVE identifiers.
  * Upstream included changes to logrotate script that supports systems that
    has multiple mysqld processes running (Closes: #810968).
  * Updated Dutch translation by Frans Spiesschaert (Closes: #822894).
  * Updated Spanish translation by Javier Fernández-Sanguino Peña
    (Closes: #823099).
  * Updated Russian translation by Yuri Kozlov (Closes: #823422).
  * Updated German translation by Chris Leick (Closes: #824487).
  * Updated Brazilian Portuguese translation (Closes: #824644).
  * Updated Turkish translation by Atila KOÇ (Closes: #825802).
  * Add patch to provide passwordless root accounts for test suite.
  * Updated Japanese translation by Takuma Yamada (Closes: #825813).

  [ Vicențiu Ciorbaru ]
  * Backport upstream MDEV-9479 fix: oqgraph fails to build with boost 1.60

 -- Otto Kekäläinen <email address hidden> Mon, 30 May 2016 22:43:30 +0300

Changed in mariadb-10.0 (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Changed in mariadb-10.0 (Debian):
status: Unknown → Fix Released
Otto Kekäläinen (otto) on 2016-10-31
Changed in mariadb-10.0 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.