Ubuntu
mariadb-5.5 package

USN-3459-1: partially applies to MariaDB too

Bug #1740608 reported by Otto Kekäläinen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Fix Released
Undecided
Unassigned
mariadb-5.5 (Ubuntu)
Fix Released
Medium
Otto Kekäläinen

Bug Description

https://usn.ubuntu.com/usn/usn-3459-1/

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb-5.5 in Trusty

Otto Kekäläinen (otto)
Changed in mariadb-5.5 (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Otto Kekäläinen (otto)
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?h=ubuntu-14.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

As a reminder, debdiffs can be browsed directly from the repo like this:
https://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/diff/debian/?id=ubuntu/5.5.58-1ubuntu0.14.04.1&id2=ubuntu/5.5.58-1ubuntu0.14.04.1

Or in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Revision history for this message
Otto Kekäläinen (otto) wrote :

Corrected diff link: https://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/diff/debian/?id=ubuntu/5.5.58-1ubuntu0.14.04.1&id2=ubuntu/5.5.57-1ubuntu0.14.04.1

The fix for 10.0 is already done, I am only waiting for builds to complete and confirm that all is OK at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.58-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.58-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.58. Includes fixes for
    the following security vulnerabilities (LP: #1740608):
    - CVE-2017-10378, MDEV-13819
    - CVE-2017-10268
  * Update previous changelog entries to contain new CVE identifiers
  * Includes upstream MDEV-13819 server crash fix (LP: #1735876)

 -- Otto Kekäläinen <email address hidden> Sat, 30 Dec 2017 17:55:52 +0200

Changed in mariadb-5.5 (Ubuntu):
status: New → Fix Released
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.0 series update for 16.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/log/?h=ubuntu-16.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

As a reminder, debdiffs can be browsed directly from the repo like this:
https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/diff/debian/?id=ubuntu/10.0.31-0ubuntu0.16.04.1&id2=ubuntu/10.0.29-0ubuntu0.16.04.1

Or in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Revision history for this message
Otto Kekäläinen (otto) wrote :

Sorry, outdated link. Here is the correct link: https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/diff/debian/?id=ubuntu/10.0.33-0ubuntu0.16.04.1&id2=ubuntu/10.0.31-0ubuntu0.16.04.1

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.33-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.33-0ubuntu0.16.04.1) xenial-security; urgency=high

  [ Otto Kekäläinen ]
  * SECURITY UPDATE: New upstream release 10.0.33. Includes fixes for the
    following security vulnerabilities (LP: #1740608):
    - CVE-2017-10378
    - CVE-2017-10268
    - MDEV-13819
  * Previous release 10.0.32 included included fixes for
    - CVE-2017-10384
    - CVE-2017-10379
    - CVE-2017-10286
    - CVE-2017-3636
    - CVE-2017-3641
    - CVE-2017-3653
  * Remove InnoDB build failure fix applied upstream

 -- Otto Kekäläinen <email address hidden> Thu, 04 Jan 2018 11:44:00 +0200

Changed in mariadb-10.0 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.