USN-2480-1: MySQL vulnerabilities partially also applies to MariaDB
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | mariadb-5.5 (Ubuntu) |
Undecided
|
Otto Kekäläinen | ||
Bug Description
The mentioned security issues where mostly already fixed in previous MariaDB versions, and the rest of them where fixed in 5.5.41 which is now a security release.
From https:/
Fixes for the following security vulnerabilities:
CVE-2015-0411
CVE-2015-0382
CVE-2015-0381
CVE-2015-0432
CVE-2014-6568
CVE-2015-0374
I will produce a security release and upload it as a patch to this bug report.
| Changed in mariadb-5.5 (Ubuntu): | |
| assignee: | nobody → Otto Kekäläinen (otto) |
| status: | New → In Progress |
| Otto Kekäläinen (otto) wrote : | #1 |
| Otto Kekäläinen (otto) wrote : | #2 |
I have now tested manually that the new package installs OK and also upgrades both old MariaDB and MySQL correctly. Feel free to upload MariaDB 5.5.41 to Trusty and Utopic with the debdiff type patches above.
| Seth Arnold (seth-arnold) wrote : | #3 |
Otto, I wish we'd finished this yesterday, the cacert.pem expired today causing the builds on the build service to fail despite successful builds on my development laptop.
Any suggestions how to replace this file with one that will allow the builds to finish?
mysql-test/
Thanks
| Otto Kekäläinen (otto) wrote : Re: [Bug 1414755] Re: USN-2480-1: MySQL vulnerabilities partially also applies to MariaDB | #4 |
2015-01-29 2:37 GMT+02:00 Seth Arnold <email address hidden>:
> Otto, I wish we'd finished this yesterday, the cacert.pem expired today
> causing the builds on the build service to fail despite successful
> builds on my development laptop.
>
> Any suggestions how to replace this file with one that will allow the
> builds to finish?
>
> mysql-test/
I have reported this upstream, they are working on issuing a new test
certificate so that the test sutie would pass. Bad luck it expired
28th 05:55..
| Otto Kekäläinen (otto) wrote : | #5 |
FYI: The cacert.pem dates back from 2005 and upstream-upstream MySQL
has the same file. I checked if there is an update but there are
nothing new in the repo since September,not even a code dump since
5.5.41 release:
https:/
| Otto Kekäläinen (otto) wrote : | #6 |
Fix pushed to github (the links above will show the latest diff) and new test builds running at https:/
I am travelling (in FOSDEM) and don't know when I can check the builds next time. Feel free to check the builds in a couple of hours and continue with your part of the process if everything is OK.
| information type: | Private Security → Public Security |
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package mariadb-5.5 - 5.5.41-
---------------
mariadb-5.5 (5.5.41-
* SECURITY UPDATE: Update to 5.5.41 to fix security issues (LP: #1414755)
- CVE-2015-0411
- CVE-2015-0382
- CVE-2015-0381
- CVE-2015-0432
- CVE-2014-6568
- CVE-2015-0374
* As approved by Seth Arnold, this security update also imports the latest
mariadb-5.5 packaging from Debian which includes useful and low-risk
fixes:
- Updated Dutch translation by Frans Spiesschaert
- Updated control file so that mariadb-client-5.5 breaks and replaces
the package mariadb-server-5.5 to allow overwriting the innochecksum
man page file which has changed location (LP: #1368124) as per
doc https:/
- Backported the fix of #770177 from 10.0 to 5.5 so that the migration
question will not be asked repeatedly. (LP: #1392539)
* Backported new cacert.pem etc from 5.5 the replace the expired ones
-- Otto Kekaelaeinen <email address hidden> Mon, 26 Jan 2015 21:15:00 +0200
| Changed in mariadb-5.5 (Ubuntu): | |
| status: | In Progress → Fix Released |
| Seth Arnold (seth-arnold) wrote : | #8 |
Thanks Otto.
I've asked for mariadb-5.5 to be removed from vivid and future in https:/
Thanks
| Otto Kekäläinen (otto) wrote : | #9 |
Hello!
I just started getting feedback from users who's updates fail - it seems I screwed up in a bugfix and introduced a new bug. The new bug was fixed in 10.0 but somehow I missed thinking about backporting it.
What shall we do? Upload directly a 5.5.41-1ubuntu packages?
Here are the debdiffs:
https:/
https:/
1) Patches have been created:
The patch debdiff patch for Trusty is essentially this:
https:/
And for Utopic this:
https:/
Apply the patches above on top of the current 5.5.40 package in Ubuntu and for the non debian/* stuff, get the upstream mariadb-
Vivid MariaDB 5.5 should be removed. Debian unstable at the moment only contains MariaDB 10.0 and so should Vivid too.
After this upgrade the MariaDB 5.5 in Trusty and Utopic are unified.
2) Testing the patches
Test build (including test suite) for Trusty and Utopic has passed successfully at https:/
I will still do some testing upgrading/
I will comment on this issue when my manual tests are completed.