USN-3537-2: partially applies to MariaDB too

Bug #1751920 reported by Otto Kekäläinen on 2018-02-26
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Medium
Otto Kekäläinen
mariadb-10.1 (Ubuntu)
Medium
Otto Kekäläinen
mariadb-5.5 (Ubuntu)
Medium
Otto Kekäläinen

Bug Description

https://usn.ubuntu.com/usn/usn-3537-2/

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb-5.5 in Trusty
 - mariadb-10.0 in Xenial
 - mariadb-10.1 in Artful

Otto Kekäläinen (otto) on 2018-02-26
information type: Public → Public Security
Otto Kekäläinen (otto) on 2018-02-26
description: updated
Changed in mariadb-10.0 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Changed in mariadb-10.1 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Changed in mariadb-5.5 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Otto Kekäläinen (otto) wrote :

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at https://salsa.debian.org/mariadb-team/mariadb-5.5

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

As a reminder, full diffs can be browsed directly at https://salsa.debian.org/mariadb-team/mariadb-5.5/compare/ubuntu%2F5.5.58-1ubuntu0.14.04.1...ubuntu%2F5.5.59-1ubuntu0.14.04.1 and a debdiff can be generated in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Otto Kekäläinen (otto) wrote :

The 10.0 series update for 16.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.0

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

As a reminder, full diffs can be browsed directly at https://salsa.debian.org/mariadb-team/mariadb-10.0/compare/ubuntu%2F10.0.33-0ubuntu0.16.04.1...ubuntu%2F10.0.34-0ubuntu0.16.04.1 and a debdiff can be generated in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Changed in mariadb-10.0 (Ubuntu):
importance: Undecided → Medium
Changed in mariadb-10.1 (Ubuntu):
importance: Undecided → Medium
Changed in mariadb-5.5 (Ubuntu):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.59-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.59-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.59. Includes fixes for
    the following security vulnerabilities (LP: #1751920):
    - CVE-2018-2668
    - CVE-2018-2665
    - CVE-2018-2640
    - CVE-2018-2622
    - CVE-2018-2562
  * Update metadata and point VCS-* links to the new source repository

 -- Otto Kekäläinen <email address hidden> Mon, 26 Feb 2018 17:21:12 -0500

Changed in mariadb-5.5 (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.34-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.34-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.34. Includes fixes for
    the following security vulnerabilities (LP: #1751920):
    - CVE-2018-2668
    - CVE-2018-2665
    - CVE-2018-2640
    - CVE-2018-2622
    - CVE-2018-2612
    - CVE-2018-2562
  * Update git-buildpackage Debian branch setting so gbp import-orig works
  * Update VCS-* links to point to the new source repository

 -- Otto Kekäläinen <email address hidden> Mon, 26 Feb 2018 18:07:48 -0500

Changed in mariadb-10.0 (Ubuntu):
status: New → Fix Released
Simon Quigley (tsimonq2) wrote :

Unsubscribing the Security Sponsors Team for now because there's nothing to sponsor for 10.1 yet. Please resubscribe us once you have the Artful debdiff.

Thank you.

Setting mariadb-10.1 to 'Fix Released' as Bionic (1:10.1.34-0ubuntu0.18.04.1) and newer releases already contain the fixes for those CVEs.

Changed in mariadb-10.1 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers