USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| mariadb-10.0 (Ubuntu) |
Medium
|
Tyler Hicks | ||
| mariadb-5.5 (Ubuntu) |
Undecided
|
Otto Kekäläinen |
Bug Description
The mentioned security notice also affect MariaDB and the latest release includes fixes.
From https:/
Fixes for the following security vulnerabilities:
CVE-2015-0501
CVE-2015-2571
CVE-2015-0505
CVE-2015-0499
I will produce a security release and upload it as a patch to this bug report.
Otto Kekäläinen (otto) wrote : | #1 |
information type: | Private Security → Public Security |
Otto Kekäläinen (otto) wrote : | #2 |
The matching diffs for 14.10 are:
https:/
https:/
As ready to be applied diff:
https:/
..or patch format:
https:/
Successful public build available (and also installable from the PPA) at https:/
Note: I haven't actually tested installs or upgrades yet, but as you can see in the debdiff there are no changes to control files or install scripts.
description: | updated |
Otto Kekäläinen (otto) wrote : | #3 |
Backported fix to crashing mysql_upgrade from 10.0.19 to 5.5.43 as upstream said they will postpone publishing 5.5.44 for now, see https:/
Otto Kekäläinen (otto) wrote : | #4 |
Ping Ubuntu maintainers?
Tyler Hicks (tyhicks) wrote : | #5 |
Hi Otto - If you're ready for security sponsorship, please subscribe ubuntu-
Changed in mariadb-5.5 (Ubuntu): | |
status: | New → Confirmed |
Seth Arnold (seth-arnold) wrote : | #6 |
Thanks Otto, packages are building now.
There is an oddity I noticed in the .debdiffs I generated: there are /tmp/*/... files changed in the packages. From the trusty package:
$ grep ^Binary !$
grep ^Binary ../source/
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
Binary files /tmp/XkuaG7K9CK
.. and from the utopic package:
$ grep ^Binary ../source/*debdiff
Binary files /tmp/_2kqsreixm
Binary files /tmp/_2kqsreixm
Binary files /tmp/_2kqsreixm
Otto Kekäläinen (otto) wrote : | #7 |
Thanks for the feedback!
Here is a diff on the deb file contents between .41 and .43:
$ diff filelist-
800d799
< -rw-r--r-- root/root ./usr/share/
838d836
< -rw-r--r-- root/root ./usr/share/
1167d1164
< -rw-r--r-- root/root ./usr/share/
1238d1234
< -rw-r--r-- root/root ./usr/share/
1247d1242
< -rw-r--r-- root/root ./usr/share/
1283d1277
< -rw-r--r-- root/root ./usr/share/
1343d1336
< -rw-r--r-- root/root ./usr/share/
1820d1812
< -rw-r--r-- root/root ./usr/share/
1890d1881
< -rw-r--r-- root/root ./usr/share/
2128d2118
< -rw-r--r-- root/root ./usr/share/
2131d2120
< -rw-r--r-- root/root ./usr/share/
2154d2142
< -rw-r--r-- root/root ./usr/share/
2241d2228
< -rw-r--r-- root/root ./usr/share/
2277d2263
< -rw-r--r-- root/root ./usr/share/
2399,2407d2384
< drwxr-xr-x root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
< -rw-r--r-- root/root ./usr/share/
2420d2396
< -rw-r--r-- root/root ./usr/share/
2426d2401
< -rw-r--r-- root/root ./usr/share/
2645d2619
< -rw-r--r-- root/root ./usr/share/
2767d2740
< -rw-r--r-- root/root ./usr/share/
3451d3423
< -rw-r--r-- root/root ./usr/share/
3459d3430
< -rw-r--r-- root/root ./usr/share/
6279d6249
< -rw-r--r-- root/root ./usr/share/
6297d6266
< -rw-r--r-- root/root ./usr/share/
6550d6518
< -rw-r--r-- root/root ./usr/share/
6597d6564
< -rw-r--r-- root/root ./usr/share/
6887d6853...
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package mariadb-5.5 - 5.5.43-
---------------
mariadb-5.5 (5.5.43-
* SECURITY UPDATE: Update to 5.5.43 to fix security issues (LP: #1451677):
- CVE-2015-0501
- CVE-2015-2571
- CVE-2015-0505
- CVE-2015-0499
* Hotfix patch to fix the server crash caused by mysql_upgrade (MDEV-8115)
-- Otto Kekaelaeinen <email address hidden> Tue, 05 May 2015 09:17:31 +0300
Changed in mariadb-5.5 (Ubuntu): | |
status: | Confirmed → Fix Released |
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package mariadb-5.5 - 5.5.43-
---------------
mariadb-5.5 (5.5.43-
* SECURITY UPDATE: Update to 5.5.43 to fix security issues (LP: #1451677):
- CVE-2015-0501
- CVE-2015-2571
- CVE-2015-0505
- CVE-2015-0499
* Hotfix patch to fix the server crash caused by mysql_upgrade (MDEV-8115)
-- Otto Kekaelaeinen <email address hidden> Tue, 05 May 2015 09:17:31 +0300
Changed in mariadb-5.5 (Ubuntu): | |
status: | Confirmed → Fix Released |
Seth Arnold (seth-arnold) wrote : | #10 |
I'm sorry Otto, I misunderstood the output from debdiff. It even feels slightly familiar that I may have made this mistake before with the mariadb packages. I'm sorry for wasting your time on it.
Thanks again for preparing updates! It's very much appreciated.
Otto Kekäläinen (otto) wrote : | #11 |
This also applies for MariaDB 10.0 which is in Vivid. I have prepared a branch for 15.04 at https:/
What is the proper version number for vivid security update?
See https:/
Otto Kekäläinen (otto) wrote : | #12 |
Attached output of command 'git diff ubuntu/
The result is the debdiff
Get the original upstream source from upstream, eg. using uscan.
Tyler Hicks (tyhicks) wrote : | #13 |
Hi Otto - the version you used is correct.
I'm building the package over the weekend and expect to publish the update Monday morning if everything goes as planned. Thanks!
Changed in mariadb-10.0 (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
importance: | Undecided → Medium |
status: | New → In Progress |
Tyler Hicks (tyhicks) wrote : | #14 |
Hello Otto - I should be publishing the 15.04 updates shortly. Do you plan on preparing an update for mariadb-10.0 in the devel release (Wily)?
Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package mariadb-10.0 - 10.0.20-
---------------
mariadb-10.0 (10.0.20-
* SECURITY UPDATE: Update to 10.0.20 (via .18 and .19) fixes security issues:
- CVE-2015-3152: Client command line option --ssl-verify-
MYSQL_
together with --ssl will ensure that the established connection is
SSL-encrypted and the MariaDB server has a valid certificate.
(LP: #1464895)
- CVE-2014-8964: bundled PCRE contained heap-based buffer overflow
vulnerability that allowed the server to crash or have other unspecified
impact via a crafted regular expression made possible with the
REGEXP_SUBSTR function (MDEV-8006).
- CVE-2015-0501
- CVE-2015-2571
- CVE-2015-0505
- CVE-2015-0499
(LP: #1451677)
* New release includes fix for memory corruption on arm64 (LP: #1427406)
* Upstream also includes lots of line ending changes (from CRLF -> LF)
-- Otto Kekäläinen <email address hidden> Fri, 03 Jul 2015 17:39:42 +0300
Changed in mariadb-10.0 (Ubuntu): | |
status: | In Progress → Fix Released |
Otto Kekäläinen (otto) wrote : | #16 |
@TylerHicks: I don't plan to do a separate release for Wily as I expect that it will sync the latest version from Debian unstable before 15.10 release.
Otto Kekäläinen (otto) wrote : | #17 |
@TylerHicks: sorry, I didn't realize that syncing from Debian has stopped in 15.04 and later releases. So 15.10 went unpatched..
Anyway, I've now opened #1512241 for a new security issue.
Changed in mariadb-5.5 (Ubuntu): | |
assignee: | nobody → Otto Kekäläinen (otto) |
The 14.04 patch is now done. You can view the whole diff from current Ubuntu 14.04 MariaDB 5.5.41 release to 5.5.43 at https:/ /github. com/ottok/ mariadb- 5.5/compare/ ubuntu/ 5.5.41- 1ubuntu0. 14.04.1. ..ubuntu- 14.04
For a diff that only includes the changed for debian/* files after importing upstream 5.5.43 on the base, see https:/ /github. com/ottok/ mariadb- 5.5/compare/ f7f0aa7dc852bde cd2ec6e619aa5fc 8c200af770. ..ubuntu- 14.04
You can download it as a diff from the URL: /github. com/ottok/ mariadb- 5.5/compare/ f7f0aa7dc852bde cd2ec6e619aa5fc 8c200af770. ..ubuntu- 14.04.diff
https:/
This is the debdiff you should apply on top of the current 5.5.41 package in Ubuntu and for the non debian/* stuff, get the upstream mariadb- 5.5.41. tar.gz package from MariaDB.org (use uscan with pgp signature checking, the package supports it).
Successful public build available (and also installable from the PPA) at https:/ /launchpad. net/~mysql- ubuntu/ +archive/ ubuntu/ mariadb/ +builds? build_text= &build_ state=all
Note: I haven't actually tested installs or upgrades yet, but as you can see in the debdiff there are no changes to control files or install scripts.
Next I'll do the same for 14.10.