Bug #1779715 “USN-3629-3: partially applies to MariaDB too” : Bugs : mariadb-5.5 package : Ubuntu

Bug Description

https://usn.ubuntu.com/usn/usn-3629-3
https://usn.ubuntu.com/usn/usn-3629-1

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
- mariadb.5.5 in Trusty
- mariadb-10.0 in Xenial
- mariadb-10.1 in Bionic

Cosmic can sync from Debian, so there is no need to prepare an upload for it. Artful is soon end-of-line, and the previous upload messed up things, so I don't plan touching it in this round.

See original description

Add tags Tag help

CVE References

Otto Kekäläinen (otto) on 2018-07-02

description:

updated

Otto Kekäläinen (otto) wrote on 2018-07-08:

1%10.1.29-6..HEAD.debdiff Edit (34.1 KiB, text/plain)

The 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.044

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates?field.comment=The 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.044

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Otto Kekäläinen (otto) wrote on 2018-07-08:

Correct URL for packaging source repo above is https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.04. For additional validation I also attached the debdiff.

Leonidas S. Barbosa (leosilvab) wrote on 2018-07-23:

Hi Otto,

I'm not sure what I did wrong:

Steps I did:
1. gbp clone --debian-branch=ubuntu-18.04 https://anonscm.debian.org/git/pkg-mysql/mariadb-10.1.git bionic-sponsoring
2. cd bionic-sponsoring
3. gbp buildpackage --git-builder="umt source"
Error> gbp:error: Pristine-tar couldn't checkout "mariadb-10.1_10.1.34.orig.tar.gz": fatal: Path 'mariadb-10.1_10.1.34.orig.tar.gz.delta' does not exist in 'refs/heads/pristine-tar'
pristine-tar: git show refs/heads/pristine-tar:mariadb-10.1_10.1.34.orig.tar.gz.delta failed

From prestine branch:

(pristine-tar) ls
mariadb-10.0_10.0.10.orig.tar.gz.delta mariadb-10.0_10.0.26.orig.tar.gz.id
mariadb-10.0_10.0.10.orig.tar.gz.id mariadb-10.0_10.0.27.orig.tar.gz.delta
mariadb-10.0_10.0.13.orig.tar.gz.delta mariadb-10.0_10.0.27.orig.tar.gz.id
mariadb-10.0_10.0.13.orig.tar.gz.id mariadb-10.0_10.0.28.orig.tar.gz.delta
mariadb-10.0_10.0.14.orig.tar.gz.delta mariadb-10.0_10.0.28.orig.tar.gz.id
mariadb-10.0_10.0.14.orig.tar.gz.id mariadb-10.0_10.0.8.orig.tar.gz.delta
mariadb-10.0_10.0.15.orig.tar.gz.delta mariadb-10.0_10.0.8.orig.tar.gz.id
mariadb-10.0_10.0.15.orig.tar.gz.id mariadb-10.0_10.0.9.orig.tar.gz.delta
mariadb-10.0_10.0.16.orig.tar.gz.delta mariadb-10.0_10.0.9.orig.tar.gz.id
mariadb-10.0_10.0.16.orig.tar.gz.id mariadb-10.1_10.1.20.orig.tar.gz.delta
mariadb-10.0_10.0.17.orig.tar.gz.delta mariadb-10.1_10.1.20.orig.tar.gz.id
mariadb-10.0_10.0.17.orig.tar.gz.id mariadb-10.1_10.1.21.orig.tar.gz.delta
mariadb-10.0_10.0.18.orig.tar.gz.delta mariadb-10.1_10.1.21.orig.tar.gz.id
mariadb-10.0_10.0.18.orig.tar.gz.id mariadb-10.1_10.1.22.orig.tar.gz.delta
mariadb-10.0_10.0.19.orig.tar.gz.delta mariadb-10.1_10.1.22.orig.tar.gz.id
mariadb-10.0_10.0.19.orig.tar.gz.id mariadb-10.1_10.1.23.orig.tar.gz.delta
mariadb-10.0_10.0.20.orig.tar.gz.delta mariadb-10.1_10.1.23.orig.tar.gz.id
mariadb-10.0_10.0.20.orig.tar.gz.id mariadb-10.1_10.1.24.orig.tar.gz.delta
mariadb-10.0_10.0.21.orig.tar.gz.delta mariadb-10.1_10.1.24.orig.tar.gz.id
mariadb-10.0_10.0.21.orig.tar.gz.id mariadb-10.1_10.1.25.orig.tar.gz.delta
mariadb-10.0_10.0.22.orig.tar.gz.delta mariadb-10.1_10.1.25.orig.tar.gz.id
mariadb-10.0_10.0.22.orig.tar.gz.id mariadb-10.1_10.1.26.orig.tar.gz.delta
mariadb-10.0_10.0.23.orig.tar.gz.delta mariadb-10.1_10.1.26.orig.tar.gz.id
mariadb-10.0_10.0.23.orig.tar.gz.id mariadb-10.1_10.1.28.orig.tar.gz.delta
mariadb-10.0_10.0.24.orig.tar.gz.delta mariadb-10.1_10.1.28.orig.tar.gz.id
mariadb-10.0_10.0.24.orig.tar.gz.id mariadb-10.1_10.1.29.orig.tar.gz.delta
mariadb-10.0_10.0.25.orig.tar.gz.delta mariadb-10.1_10.1.29.orig.tar.gz.id
mariadb-10.0_10.0.25.orig.tar.gz.id mariadb-10.1_10.1.30.orig.tar.gz.delta
mariadb-10.0_10.0.26.orig.tar.gz.delta mariadb-10.1_10.1.30.orig.tar.gz.id

Otto Kekäläinen (otto) wrote on 2018-07-25:

Sorry. Ran now git push --all so that all branches are published on salsa.debian.org

Leonidas S. Barbosa (leosilvab) wrote on 2018-07-27:

Now I'm getting this:

gbp buildpackage --git-builder="umt source"
gbp:error: Pristine-tar couldn't checkout "mariadb-10.1_10.1.34.orig.tar.gz": pristine-tar: delta is version 3, newer than maximum supported version 2
pristine-tar: failed to generate tarbal

Otto Kekäläinen (otto) wrote on 2018-07-29:

Hello!

I don't have umt installed, but I tested that a plain gbp buildpackage -S -d works for me. Using gbp version 0.9.8 (from Ubuntu Bionic). Are you running something older?

Leonidas S. Barbosa (leosilvab) wrote on 2018-07-30:

Thanks Otto,

Yep it seems my old version (0.7.2) is the issue also "pristine-tar format 3 requires a newer version of pristine-tar than is in xenial".

Otto Kekäläinen (otto) wrote on 2018-08-02:

Unmangled link:
https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Work-in-progress in repos:
https://salsa.debian.org/mariadb-team/mariadb-5.5
https://salsa.debian.org/mariadb-team/mariadb-10.0

In repo https://salsa.debian.org/mariadb-team/mariadb-10.1 this was already completed.

Test builds pending:
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

Marc Deslauriers (mdeslaur) wrote on 2018-08-02:

Thanks Otto!

The bionic package is being built in the security team PPA and will likely get published today.

Launchpad Janitor (janitor) wrote on 2018-08-02:

#10

This bug was fixed in the package mariadb-10.1 - 1:10.1.34-0ubuntu0.18.04.1

---------------
mariadb-10.1 (1:10.1.34-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream release 10.1.34. Includes fixes for
    the security vulnerabilities from previous releases (LP: #1779715).
  * Previous upstream version 10.1.33 included fixes for the following
    security vulnerabilities:
    - CVE-2018-2819
    - CVE-2018-2817
    - CVE-2018-2813
    - CVE-2018-2787
    - CVE-2018-2784
    - CVE-2018-2782
    - CVE-2018-2781
    - CVE-2018-2771
    - CVE-2018-2766
    - CVE-2018-2761
    - CVE-2018-2755
  * Previous upstream version 10.1.31 included fixes for the following
    security vulnerabilities:
    - CVE-2018-2668
    - CVE-2018-2665
    - CVE-2018-2640
    - CVE-2018-2622
    - CVE-2018-2612
    - CVE-2018-2562
  * Previous upstream version 10.1.30 included fixes for the following
    security vulnerabilities:
    - CVE-2017-15365

  [ Otto Kekäläinen ]
  * Update VCS-* links to point to the new source repository
  * Update Maintainer in d/control for Ubuntu repositories
  * Delete unnecessary systemd files introduced by upstream
  * Add new files introduced by upstream to correct packages

  [ Vicențiu Ciorbaru ]
  * Extend libmariadbclient-rename.patch to cover TokuDB as well
  * Disable disks.disks test

-- Otto Kekäläinen <email address hidden> Sun, 08 Jul 2018 11:14:42 +0300

Changed in mariadb-10.1 (Ubuntu):
status:	New → Fix Released

Otto Kekäläinen (otto) wrote on 2018-08-03:

#11

MariaDB 5.5.61-1ubuntu0.14.04.1 is now also available in git. All tests have passed and it is ready for upload to Trusty.

Otto Kekäläinen (otto) wrote on 2018-08-03:

#12

MariaDB 10.0.36-0ubuntu0.16.04.1 is now also available in git. All tests have passed and it is ready for upload to Xenial. Note that MariaDB 10.0.36 was released only a few days ago and has more CVE's fixed than just the USN mentioned in the title.

Otto Kekäläinen (otto) wrote on 2018-08-06:

#13

Reminder that Trusty and Xenial are ready for upload, just waiting for security sponsoring.

Steve Beattie (sbeattie) wrote on 2018-08-24:

#14

Thanks Otto, sorry for the delay. I'll take this.

Changed in mariadb-10.0 (Ubuntu):
assignee:	nobody → Steve Beattie (sbeattie)
Changed in mariadb-5.5 (Ubuntu):
assignee:	Otto Kekäläinen (otto) → Steve Beattie (sbeattie)

Launchpad Janitor (janitor) wrote on 2018-08-28:

#15

This bug was fixed in the package mariadb-10.0 - 10.0.36-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.36-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.36. Includes fixes for
    the following security vulnerabilities (LP: #1779715):
    - CVE-2018-3066
    - CVE-2018-3064
    - CVE-2018-3063
    - CVE-2018-3058
  * Previous release 10.0.35 included included fixes for
    - CVE-2018-3081
    - CVE-2018-2819
    - CVE-2018-2817
    - CVE-2018-2813
    - CVE-2018-2787
    - CVE-2018-2784
    - CVE-2018-2782
    - CVE-2018-2781
    - CVE-2018-2771
    - CVE-2018-2766
    - CVE-2018-2761
    - CVE-2018-2755

-- Otto Kekäläinen <email address hidden> Thu, 02 Aug 2018 23:45:15 +0800

Changed in mariadb-10.0 (Ubuntu):
status:	New → Fix Released

Launchpad Janitor (janitor) wrote on 2018-08-28:

#16

This bug was fixed in the package mariadb-5.5 - 5.5.61-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.61-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.61. Includes fixes for
    the following security vulnerabilities (LP: #1779715):
    - CVE-2018-3081
    - CVE-2018-3066
    - CVE-2018-3063
    - CVE-2018-3058
  * Previous release 5.5.60 included included fixes for
    the following security vulnerabilities:
    - CVE-2018-2819
    - CVE-2018-2817
    - CVE-2018-2813
    - CVE-2018-2781
    - CVE-2018-2771
    - CVE-2018-2761
    - CVE-2018-2755

-- Otto Kekäläinen <email address hidden> Thu, 02 Aug 2018 23:25:55 +0800

Changed in mariadb-5.5 (Ubuntu):
status:	New → Fix Released

Ubuntu
mariadb-5.5 package

USN-3629-3: partially applies to MariaDB too

Bug Description

CVE References

Other bug subscribers

Patches

Ubuntumariadb-5.5 package

USN-3629-3: partially applies to MariaDB too

Bug Description

CVE References

Other bug subscribers

Patches

Ubuntu
mariadb-5.5 package