USN-3174-1: partially applies to MariaDB too

Bug #1657594 reported by Otto Kekäläinen on 2017-01-18
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned
Yakkety
Medium
Unassigned
Zesty
Medium
Unassigned
mariadb-10.1 (Ubuntu)
Medium
Unassigned
Zesty
Medium
Unassigned
mariadb-5.5 (Ubuntu)
Trusty
Medium
Unassigned

Bug Description

https://www.ubuntu.com/usn/usn-3174-1/

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb.5.5 in Trusty
 - mariadb-10.0 in Xenial and Yakkety (zesty can sync from Debian)

Otto Kekäläinen (otto) wrote :

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?h=ubuntu-14.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Otto Kekäläinen (otto) wrote :

The 10.0 series updates for 16.04 and 16.10 are now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 and ubuntu-16.10 branches at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all for Yakkety.

I was unable to run test builds for Xenial because the repo ran out of space and there is nothing suitable to delete to free some space. My request for more space at https://answers.launchpad.net/launchpad/+question/440393 has not been answered yet.

Otto Kekäläinen (otto) wrote :

Zesty should be fixed by importing latest mariadb-10.1 10.1.21 from Debian unstable once available.

no longer affects: mariadb-10.0 (Ubuntu Trusty)
no longer affects: mariadb-10.1 (Ubuntu Trusty)
no longer affects: mariadb-10.1 (Ubuntu Xenial)
no longer affects: mariadb-10.1 (Ubuntu Yakkety)
no longer affects: mariadb-5.5 (Ubuntu Zesty)
no longer affects: mariadb-5.5 (Ubuntu Yakkety)
no longer affects: mariadb-5.5 (Ubuntu Xenial)
Tyler Hicks (tyhicks) on 2017-01-19
summary: - Recent MySQL vulnerabilities partially applies to MariaDB too
+ [USN-3174-1] partially applies to MariaDB too
summary: - [USN-3174-1] partially applies to MariaDB too
+ USN-3174-1: partially applies to MariaDB too
description: updated
no longer affects: mariadb-5.5 (Ubuntu)
Changed in mariadb-10.0 (Ubuntu Xenial):
importance: Undecided → Medium
Changed in mariadb-10.0 (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in mariadb-10.0 (Ubuntu Zesty):
importance: Undecided → Medium
Changed in mariadb-5.5 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in mariadb-10.1 (Ubuntu Zesty):
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :

Thanks for the branches, ACK. Packages are building now and will be published when done.

Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.54-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.54-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.54. Includes fixes for the
    following security vulnerabilities (LP: #1657594):
    - CVE-2017-3318
    - CVE-2017-3317
    - CVE-2017-3312
    - CVE-2017-3291
    - CVE-2017-3265
    - CVE-2017-3258
    - CVE-2017-3244
    - CVE-2017-3243
    - CVE-2017-3238
    - CVE-2016-6664

 -- Otto Kekäläinen <email address hidden> Thu, 19 Jan 2017 00:46:44 +0200

Changed in mariadb-5.5 (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.29-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.29-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.29. Includes fixes for the
    following security vulnerabilities (LP: #1657594):
    - CVE-2017-3318
    - CVE-2017-3317
    - CVE-2017-3312
    - CVE-2017-3291
    - CVE-2017-3265
    - CVE-2017-3258
    - CVE-2017-3257
    - CVE-2017-3244
    - CVE-2017-3243
    - CVE-2017-3238
    - CVE-2016-6664

 -- Otto Kekäläinen <email address hidden> Thu, 19 Jan 2017 08:58:35 +0200

Changed in mariadb-10.0 (Ubuntu Xenial):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.29-0ubuntu0.16.10.1

---------------
mariadb-10.0 (10.0.29-0ubuntu0.16.10.1) yakkety-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.29. Includes fixes for the
    following security vulnerabilities (LP: #1657594):
    - CVE-2017-3318
    - CVE-2017-3317
    - CVE-2017-3312
    - CVE-2017-3291
    - CVE-2017-3265
    - CVE-2017-3258
    - CVE-2017-3257
    - CVE-2017-3244
    - CVE-2017-3243
    - CVE-2017-3238
    - CVE-2016-6664

 -- Otto Kekäläinen <email address hidden> Thu, 19 Jan 2017 00:32:48 +0200

Changed in mariadb-10.0 (Ubuntu Yakkety):
status: New → Fix Released
Steve Beattie (sbeattie) wrote :

mariadb-10.1 10.1.21-5 has made it into zesty, which addresses the CVEs here, closing that task.

Changed in mariadb-10.1 (Ubuntu Zesty):
status: New → Fix Released
Steve Beattie (sbeattie) wrote :

mariadb-10.0 has been pulled from zesty (in favor of mariadb-10.1), marking that task invalid.

Thanks!

Changed in mariadb-10.0 (Ubuntu Zesty):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers