Ubuntu
mariadb-5.5 package

USN-3629-3: partially applies to MariaDB too

Bug #1779715 reported by Otto Kekäläinen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Fix Released
Undecided
Steve Beattie
mariadb-10.1 (Ubuntu)
Fix Released
Undecided
Unassigned
mariadb-5.5 (Ubuntu)
Fix Released
Undecided
Steve Beattie

Bug Description

https://usn.ubuntu.com/usn/usn-3629-3
https://usn.ubuntu.com/usn/usn-3629-1

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb.5.5 in Trusty
 - mariadb-10.0 in Xenial
 - mariadb-10.1 in Bionic

Cosmic can sync from Debian, so there is no need to prepare an upload for it. Artful is soon end-of-line, and the previous upload messed up things, so I don't plan touching it in this round.

See original description
Otto Kekäläinen (otto)
description: updated
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.044

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates?field.comment=The 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.044

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Revision history for this message
Otto Kekäläinen (otto) wrote :

Correct URL for packaging source repo above is https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.04. For additional validation I also attached the debdiff.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi Otto,

I'm not sure what I did wrong:

Steps I did:
 1. gbp clone --debian-branch=ubuntu-18.04 https://anonscm.debian.org/git/pkg-mysql/mariadb-10.1.git bionic-sponsoring
 2. cd bionic-sponsoring
 3. gbp buildpackage --git-builder="umt source"
  Error> gbp:error: Pristine-tar couldn't checkout "mariadb-10.1_10.1.34.orig.tar.gz": fatal: Path 'mariadb-10.1_10.1.34.orig.tar.gz.delta' does not exist in 'refs/heads/pristine-tar'
pristine-tar: git show refs/heads/pristine-tar:mariadb-10.1_10.1.34.orig.tar.gz.delta failed

From prestine branch:

(pristine-tar) ls
mariadb-10.0_10.0.10.orig.tar.gz.delta mariadb-10.0_10.0.26.orig.tar.gz.id
mariadb-10.0_10.0.10.orig.tar.gz.id mariadb-10.0_10.0.27.orig.tar.gz.delta
mariadb-10.0_10.0.13.orig.tar.gz.delta mariadb-10.0_10.0.27.orig.tar.gz.id
mariadb-10.0_10.0.13.orig.tar.gz.id mariadb-10.0_10.0.28.orig.tar.gz.delta
mariadb-10.0_10.0.14.orig.tar.gz.delta mariadb-10.0_10.0.28.orig.tar.gz.id
mariadb-10.0_10.0.14.orig.tar.gz.id mariadb-10.0_10.0.8.orig.tar.gz.delta
mariadb-10.0_10.0.15.orig.tar.gz.delta mariadb-10.0_10.0.8.orig.tar.gz.id
mariadb-10.0_10.0.15.orig.tar.gz.id mariadb-10.0_10.0.9.orig.tar.gz.delta
mariadb-10.0_10.0.16.orig.tar.gz.delta mariadb-10.0_10.0.9.orig.tar.gz.id
mariadb-10.0_10.0.16.orig.tar.gz.id mariadb-10.1_10.1.20.orig.tar.gz.delta
mariadb-10.0_10.0.17.orig.tar.gz.delta mariadb-10.1_10.1.20.orig.tar.gz.id
mariadb-10.0_10.0.17.orig.tar.gz.id mariadb-10.1_10.1.21.orig.tar.gz.delta
mariadb-10.0_10.0.18.orig.tar.gz.delta mariadb-10.1_10.1.21.orig.tar.gz.id
mariadb-10.0_10.0.18.orig.tar.gz.id mariadb-10.1_10.1.22.orig.tar.gz.delta
mariadb-10.0_10.0.19.orig.tar.gz.delta mariadb-10.1_10.1.22.orig.tar.gz.id
mariadb-10.0_10.0.19.orig.tar.gz.id mariadb-10.1_10.1.23.orig.tar.gz.delta
mariadb-10.0_10.0.20.orig.tar.gz.delta mariadb-10.1_10.1.23.orig.tar.gz.id
mariadb-10.0_10.0.20.orig.tar.gz.id mariadb-10.1_10.1.24.orig.tar.gz.delta
mariadb-10.0_10.0.21.orig.tar.gz.delta mariadb-10.1_10.1.24.orig.tar.gz.id
mariadb-10.0_10.0.21.orig.tar.gz.id mariadb-10.1_10.1.25.orig.tar.gz.delta
mariadb-10.0_10.0.22.orig.tar.gz.delta mariadb-10.1_10.1.25.orig.tar.gz.id
mariadb-10.0_10.0.22.orig.tar.gz.id mariadb-10.1_10.1.26.orig.tar.gz.delta
mariadb-10.0_10.0.23.orig.tar.gz.delta mariadb-10.1_10.1.26.orig.tar.gz.id
mariadb-10.0_10.0.23.orig.tar.gz.id mariadb-10.1_10.1.28.orig.tar.gz.delta
mariadb-10.0_10.0.24.orig.tar.gz.delta mariadb-10.1_10.1.28.orig.tar.gz.id
mariadb-10.0_10.0.24.orig.tar.gz.id mariadb-10.1_10.1.29.orig.tar.gz.delta
mariadb-10.0_10.0.25.orig.tar.gz.delta mariadb-10.1_10.1.29.orig.tar.gz.id
mariadb-10.0_10.0.25.orig.tar.gz.id mariadb-10.1_10.1.30.orig.tar.gz.delta
mariadb-10.0_10.0.26.orig.tar.gz.delta mariadb-10.1_10.1.30.orig.tar.gz.id

Revision history for this message
Otto Kekäläinen (otto) wrote :

Sorry. Ran now git push --all so that all branches are published on salsa.debian.org

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Now I'm getting this:

gbp buildpackage --git-builder="umt source"
gbp:error: Pristine-tar couldn't checkout "mariadb-10.1_10.1.34.orig.tar.gz": pristine-tar: delta is version 3, newer than maximum supported version 2
pristine-tar: failed to generate tarbal

Revision history for this message
Otto Kekäläinen (otto) wrote :

Hello!

I don't have umt installed, but I tested that a plain gbp buildpackage -S -d works for me. Using gbp version 0.9.8 (from Ubuntu Bionic). Are you running something older?

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Thanks Otto,

Yep it seems my old version (0.7.2) is the issue also "pristine-tar format 3 requires a newer version of pristine-tar than is in xenial".

Revision history for this message
Otto Kekäläinen (otto) wrote :

Unmangled link:
https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Work-in-progress in repos:
https://salsa.debian.org/mariadb-team/mariadb-5.5
https://salsa.debian.org/mariadb-team/mariadb-10.0

In repo https://salsa.debian.org/mariadb-team/mariadb-10.1 this was already completed.

Test builds pending:
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks Otto!

The bionic package is being built in the security team PPA and will likely get published today.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.1 - 1:10.1.34-0ubuntu0.18.04.1

---------------
mariadb-10.1 (1:10.1.34-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream release 10.1.34. Includes fixes for
    the security vulnerabilities from previous releases (LP: #1779715).
  * Previous upstream version 10.1.33 included fixes for the following
    security vulnerabilities:
    - CVE-2018-2819
    - CVE-2018-2817
    - CVE-2018-2813
    - CVE-2018-2787
    - CVE-2018-2784
    - CVE-2018-2782
    - CVE-2018-2781
    - CVE-2018-2771
    - CVE-2018-2766
    - CVE-2018-2761
    - CVE-2018-2755
  * Previous upstream version 10.1.31 included fixes for the following
    security vulnerabilities:
    - CVE-2018-2668
    - CVE-2018-2665
    - CVE-2018-2640
    - CVE-2018-2622
    - CVE-2018-2612
    - CVE-2018-2562
  * Previous upstream version 10.1.30 included fixes for the following
    security vulnerabilities:
    - CVE-2017-15365

  [ Otto Kekäläinen ]
  * Update VCS-* links to point to the new source repository
  * Update Maintainer in d/control for Ubuntu repositories
  * Delete unnecessary systemd files introduced by upstream
  * Add new files introduced by upstream to correct packages

  [ Vicențiu Ciorbaru ]
  * Extend libmariadbclient-rename.patch to cover TokuDB as well
  * Disable disks.disks test

 -- Otto Kekäläinen <email address hidden> Sun, 08 Jul 2018 11:14:42 +0300

Changed in mariadb-10.1 (Ubuntu):
status: New → Fix Released
Revision history for this message
Otto Kekäläinen (otto) wrote :

MariaDB 5.5.61-1ubuntu0.14.04.1 is now also available in git. All tests have passed and it is ready for upload to Trusty.

Revision history for this message
Otto Kekäläinen (otto) wrote :

MariaDB 10.0.36-0ubuntu0.16.04.1 is now also available in git. All tests have passed and it is ready for upload to Xenial. Note that MariaDB 10.0.36 was released only a few days ago and has more CVE's fixed than just the USN mentioned in the title.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Reminder that Trusty and Xenial are ready for upload, just waiting for security sponsoring.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks Otto, sorry for the delay. I'll take this.

Changed in mariadb-10.0 (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Changed in mariadb-5.5 (Ubuntu):
assignee: Otto Kekäläinen (otto) → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.36-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.36-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.36. Includes fixes for
    the following security vulnerabilities (LP: #1779715):
    - CVE-2018-3066
    - CVE-2018-3064
    - CVE-2018-3063
    - CVE-2018-3058
  * Previous release 10.0.35 included included fixes for
    - CVE-2018-3081
    - CVE-2018-2819
    - CVE-2018-2817
    - CVE-2018-2813
    - CVE-2018-2787
    - CVE-2018-2784
    - CVE-2018-2782
    - CVE-2018-2781
    - CVE-2018-2771
    - CVE-2018-2766
    - CVE-2018-2761
    - CVE-2018-2755

 -- Otto Kekäläinen <email address hidden> Thu, 02 Aug 2018 23:45:15 +0800

Changed in mariadb-10.0 (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.61-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.61-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.61. Includes fixes for
    the following security vulnerabilities (LP: #1779715):
    - CVE-2018-3081
    - CVE-2018-3066
    - CVE-2018-3063
    - CVE-2018-3058
  * Previous release 5.5.60 included included fixes for
    the following security vulnerabilities:
    - CVE-2018-2819
    - CVE-2018-2817
    - CVE-2018-2813
    - CVE-2018-2781
    - CVE-2018-2771
    - CVE-2018-2761
    - CVE-2018-2755

 -- Otto Kekäläinen <email address hidden> Thu, 02 Aug 2018 23:25:55 +0800

Changed in mariadb-5.5 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.