[SRU] percona-xtradb-cluster 5.6.37, percona-galera 3.21

Bug #1735691 reported by James Page on 2017-12-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
percona-galera-3 (Ubuntu)
High
Unassigned
Xenial
High
Unassigned
Zesty
High
Unassigned
Artful
High
Unassigned
Bionic
High
Unassigned
percona-xtradb-cluster-5.6 (Ubuntu)
High
Unassigned
Xenial
High
Unassigned
Zesty
High
Unassigned
Artful
High
Unassigned
Bionic
High
Unassigned

Bug Description

Stable update of Percona XtraDB Cluster including security fixes for the following CVE's:

CVE-2016-5617
CVE-2016-8327
CVE-2017-15365
CVE-2017-3238
CVE-2017-3244
CVE-2017-3251
CVE-2017-3256
CVE-2017-3257
CVE-2017-3258
CVE-2017-3265
CVE-2017-3273
CVE-2017-3291
CVE-2017-3305
CVE-2017-3308
CVE-2017-3309
CVE-2017-3313
CVE-2017-3317
CVE-2017-3318
CVE-2017-3329
CVE-2017-3450
CVE-2017-3452
CVE-2017-3453
CVE-2017-3461
CVE-2017-3462
CVE-2017-3463
CVE-2017-3464
CVE-2017-3599
CVE-2017-3600

Some of those are directly in PXC, others come from MySQL 5.6 as release by Oracle.

James Page (james-page) on 2017-12-01
Changed in percona-xtradb-cluster-5.6 (Ubuntu):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Artful):
status: New → Triaged
Changed in percona-xtradb-cluster-5.6 (Ubuntu Zesty):
status: New → Triaged
Changed in percona-xtradb-cluster-5.6 (Ubuntu Xenial):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Xenial):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Zesty):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Artful):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Xenial):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Xenial):
importance: Undecided → High
Changed in percona-galera-3 (Ubuntu Zesty):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Zesty):
importance: Undecided → High
Changed in percona-galera-3 (Ubuntu Artful):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Artful):
importance: Undecided → High
James Page (james-page) wrote :

(some complication here in that we also need to rev galera to support this update to pxc - however percona-galera-3 is only use by pxc-5.6 so this is low risk with no potential of outside regressions).

description: updated
information type: Public → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu1

---------------
percona-galera-3 (3.21-0ubuntu1) bionic; urgency=medium

  * New upstream release (LP: #1735691):
    - d/p/*: Refresh.
  * d/rules,control: Force use of gcc-6 for compilation, aligning
    with pxc-5.6.
  * d/copyright: Tidy duplicate License naming.
  * d/control: Drop BD on dh-systemd, version debhelper as needed.
  * d/control: Bumped Standards-Version to 4.1.1:
    - d/copyright: Use https in Format field.
  * d/control: Update Vcs field for Ubuntu.

 -- James Page <email address hidden> Fri, 01 Dec 2017 12:22:53 +0000

Changed in percona-galera-3 (Ubuntu Bionic):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu1) bionic; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.
    - d/p/error-uninitialized.patch: Resolve build failure on 32 bit
      archs due to -Werror=uninitialized.
  * d/p/*: Refresh.
  * d/control: Bumped Standards-Version to 4.1.1:
    - d/copyright: Use https in Format field.

 -- James Page <email address hidden> Fri, 01 Dec 2017 12:23:40 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Bionic):
status: Triaged → Fix Released
James Page (james-page) wrote :

I've placed updated packages for xenial, zesty and artful into:

  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3067

I've tested upgrades of the xenial packages in a three unit pxc cluster; each unit was upgrade in turn, correctly re-joining the cluster and re-syncing with the other two units.

I'll re-test all three against the actual security-proposed packages.

James Page (james-page) wrote :

For sponsor - there is already an update for percona-xtradb-cluster-5.6 in the UNAPPROVED queue for artful; this update forces use of gcc-6 for compilation as gcc-7 resulted in a built that segfaulted continually. The security updates have been made ontop of this change, and percona-galera-6 has been moved to the same model as part of the security update for artful.

Emily Ratliff (emilyr) wrote :

James, the packages are in security-proposed and ready for testing.

James Page (james-page) wrote :

Tested upgrades for xenial, zesty and artful with three unit pxc deployments:

Model Controller Cloud/Region Version SLA
security-testing-take2 serverstack-serverstack serverstack/serverstack 2.3.0 unsupported

App Version Status Scale Charm Store Rev OS Notes
percona-cluster-artful 5.6.37-26.21 active 3 percona-cluster jujucharms 278 ubuntu
percona-cluster-xenial 5.6.37-26.21 active 3 percona-cluster jujucharms 278 ubuntu
percona-cluster-zesty 5.6.37-26.21 active 3 percona-cluster jujucharms 256 ubuntu

Unit Workload Agent Machine Public address Ports Message
percona-cluster-artful/0* active idle 0 10.5.0.28 3306/tcp Unit is ready
percona-cluster-artful/1 active idle 1 10.5.0.35 3306/tcp Unit is ready
percona-cluster-artful/2 active idle 2 10.5.0.3 3306/tcp Unit is ready
percona-cluster-xenial/0 active idle 3 10.5.0.43 3306/tcp Unit is ready
percona-cluster-xenial/1 active idle 4 10.5.0.11 3306/tcp Unit is ready
percona-cluster-xenial/2* active idle 5 10.5.0.7 3306/tcp Unit is ready
percona-cluster-zesty/0 active idle 6 10.5.0.29 3306/tcp Unit is ready
percona-cluster-zesty/1* active idle 7 10.5.0.4 3306/tcp Unit is ready
percona-cluster-zesty/2 active idle 8 10.5.0.17 3306/tcp Unit is ready

Machine State DNS Inst id Series AZ Message
0 started 10.5.0.28 0009d493-08b4-4d90-8e80-489a35cdc0d1 artful nova ACTIVE
1 started 10.5.0.35 90aef5f8-28cc-4a03-afdf-d8f06d3d9d55 artful nova ACTIVE
2 started 10.5.0.3 008eee4f-bd01-486b-a4af-ddd8d37bab94 artful nova ACTIVE
3 started 10.5.0.43 c0a74321-bea1-4ea1-85e3-9094add314cc xenial nova ACTIVE
4 started 10.5.0.11 27e3ac73-72d4-437b-8c73-116c8cc8783d xenial nova ACTIVE
5 started 10.5.0.7 1c830d03-b8b7-4378-ab8d-760b14890941 xenial nova ACTIVE
6 started 10.5.0.29 4494afaf-7627-402f-bfe5-5a0979d2dc60 zesty nova ACTIVE
7 started 10.5.0.4 55a0afc8-cb7b-45f1-a3cd-190a259225b6 zesty nova ACTIVE
8 started 10.5.0.17 e0c72022-d4f1-4e4f-8476-53ea207184e7 zesty nova ACTIVE

Relation provider Requirer Interface Type Message
percona-cluster-artful:cluster percona-cluster-artful:cluster percona-cluster peer
percona-cluster-xenial:cluster percona-cluster-xenial:cluster percona-cluster peer
percona-cluster-zesty:cluster percona-cluster-zesty:cluster percona-cluster peer

Deployed units upgraded from existing pxc in archive OK; resyncing with other units as part of the startup process.

The update for zesty also includes the fix for bug 1728132 which Brian accepted into artful-proposed last week - just need to figure out the best way to deal with that and then I believe this security update is ready to go.

James Page (james-page) wrote :

jamespage> James Page I've valided the security updates on artful, which also confirmed bug 1728132 is resolved
15:16 bdmurray: is the best way forward to remove the update from artful-proposed, and just go with whats in security-proposed for artful?
15:49
<apw> jamespage, are the versions sanely disjoint ?
15:50
<jamespage> James Page apw: not sure I understand your question?
15:50
<apw> the version in the security-proposed, that isn't the same as what you did, it is lower or higher, or whatever
15:50
<jamespage> James Page the versions in security-proposed dtrt with regards to moving forwards from the version in artful (indeed its included in the changelog as well)
15:51 version in artful-proposed
15:51 apw: on normal mysql style, the security updates include upstream version bumps...
15:52
<apw> jamespage, ok so when they release that i assume your -proposed will be lower version and automatically on our list to reap
15:52
<jamespage> James Page (artful-proposed) 5.6.34-26.19-0ubuntu4.17.10.1 -> (security-arful-proposed) 5.6.37-26.21-0ubuntu0.17.10.1
15:53 5.6.37-26.21-0ubuntu0.17.10.1 includes the changes made at 5.6.34-26.19-0ubuntu4.17.10.1
15:53
<apw> then i think you can just let security do their thing and release it
15:54
<jamespage> James Page apw: that will rollup all of the security + artful-proposed goodness

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu0.17.04.1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu0.17.04.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.
    - d/p/error-uninitialized.patch: Resolve build failure on 32 bit
      archs due to -Werror=uninitialized.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:18:02 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Zesty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu0.16.04.1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:19:12 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu0.17.04.1

---------------
percona-galera-3 (3.21-0ubuntu0.17.04.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Update to 3.21 to support security updates
    for percona-xtradb-server-5.6 (LP: #1735691).
    - d/p/gcc5.diff: Rebase.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:10:57 +0000

Changed in percona-galera-3 (Ubuntu Zesty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu0.17.10.1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu0.17.10.1) artful-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.
    - d/p/error-uninitialized.patch: Resolve build failure on 32 bit
      archs due to -Werror=uninitialized.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:16:44 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Artful):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu0.16.04.1

---------------
percona-galera-3 (3.21-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 3.21 to support security updates
    for percona-xtradb-server-5.6 (LP: #1735691).
    - d/p/gcc5.diff: Rebase.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:10:31 +0000

Changed in percona-galera-3 (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu0.17.10.1

---------------
percona-galera-3 (3.21-0ubuntu0.17.10.1) artful-security; urgency=medium

  * SECURITY UPDATE: Update to 3.21 to support security updates
    for percona-xtradb-server-5.6 (LP: #1735691).
    - d/p/gcc5.diff: Rebase.
  * d/rules,control: Force use of gcc-6 for compilation, aligning
    with pxc-5.6.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:11:14 +0000

Changed in percona-galera-3 (Ubuntu Artful):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers