[SRU] percona-xtradb-cluster 5.6.37, percona-galera 3.21

Bug #1735691 reported by James Page on 2017-12-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
percona-galera-3 (Ubuntu)
Status tracked in Bionic
Xenial
High
Unassigned
Zesty
High
Unassigned
Artful
High
Unassigned
Bionic
High
Unassigned
percona-xtradb-cluster-5.6 (Ubuntu)
Status tracked in Bionic
Xenial
High
Unassigned
Zesty
High
Unassigned
Artful
High
Unassigned
Bionic
High
Unassigned

Bug Description

Stable update of Percona XtraDB Cluster including security fixes for the following CVE's:

CVE-2016-5617
CVE-2016-8327
CVE-2017-15365
CVE-2017-3238
CVE-2017-3244
CVE-2017-3251
CVE-2017-3256
CVE-2017-3257
CVE-2017-3258
CVE-2017-3265
CVE-2017-3273
CVE-2017-3291
CVE-2017-3305
CVE-2017-3308
CVE-2017-3309
CVE-2017-3313
CVE-2017-3317
CVE-2017-3318
CVE-2017-3329
CVE-2017-3450
CVE-2017-3452
CVE-2017-3453
CVE-2017-3461
CVE-2017-3462
CVE-2017-3463
CVE-2017-3464
CVE-2017-3599
CVE-2017-3600

Some of those are directly in PXC, others come from MySQL 5.6 as release by Oracle.

James Page (james-page) on 2017-12-01
Changed in percona-xtradb-cluster-5.6 (Ubuntu):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Artful):
status: New → Triaged
Changed in percona-xtradb-cluster-5.6 (Ubuntu Zesty):
status: New → Triaged
Changed in percona-xtradb-cluster-5.6 (Ubuntu Xenial):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Xenial):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Zesty):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Artful):
status: New → Triaged
Changed in percona-galera-3 (Ubuntu Xenial):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Xenial):
importance: Undecided → High
Changed in percona-galera-3 (Ubuntu Zesty):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Zesty):
importance: Undecided → High
Changed in percona-galera-3 (Ubuntu Artful):
importance: Undecided → High
Changed in percona-xtradb-cluster-5.6 (Ubuntu Artful):
importance: Undecided → High
James Page (james-page) wrote :

(some complication here in that we also need to rev galera to support this update to pxc - however percona-galera-3 is only use by pxc-5.6 so this is low risk with no potential of outside regressions).

description: updated
information type: Public → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu1

---------------
percona-galera-3 (3.21-0ubuntu1) bionic; urgency=medium

  * New upstream release (LP: #1735691):
    - d/p/*: Refresh.
  * d/rules,control: Force use of gcc-6 for compilation, aligning
    with pxc-5.6.
  * d/copyright: Tidy duplicate License naming.
  * d/control: Drop BD on dh-systemd, version debhelper as needed.
  * d/control: Bumped Standards-Version to 4.1.1:
    - d/copyright: Use https in Format field.
  * d/control: Update Vcs field for Ubuntu.

 -- James Page <email address hidden> Fri, 01 Dec 2017 12:22:53 +0000

Changed in percona-galera-3 (Ubuntu Bionic):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu1) bionic; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.
    - d/p/error-uninitialized.patch: Resolve build failure on 32 bit
      archs due to -Werror=uninitialized.
  * d/p/*: Refresh.
  * d/control: Bumped Standards-Version to 4.1.1:
    - d/copyright: Use https in Format field.

 -- James Page <email address hidden> Fri, 01 Dec 2017 12:23:40 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Bionic):
status: Triaged → Fix Released
James Page (james-page) wrote :

I've placed updated packages for xenial, zesty and artful into:

  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3067

I've tested upgrades of the xenial packages in a three unit pxc cluster; each unit was upgrade in turn, correctly re-joining the cluster and re-syncing with the other two units.

I'll re-test all three against the actual security-proposed packages.

James Page (james-page) wrote :

For sponsor - there is already an update for percona-xtradb-cluster-5.6 in the UNAPPROVED queue for artful; this update forces use of gcc-6 for compilation as gcc-7 resulted in a built that segfaulted continually. The security updates have been made ontop of this change, and percona-galera-6 has been moved to the same model as part of the security update for artful.

Emily Ratliff (emilyr) wrote :

James, the packages are in security-proposed and ready for testing.

James Page (james-page) wrote :

Tested upgrades for xenial, zesty and artful with three unit pxc deployments:

Model Controller Cloud/Region Version SLA
security-testing-take2 serverstack-serverstack serverstack/serverstack 2.3.0 unsupported

App Version Status Scale Charm Store Rev OS Notes
percona-cluster-artful 5.6.37-26.21 active 3 percona-cluster jujucharms 278 ubuntu
percona-cluster-xenial 5.6.37-26.21 active 3 percona-cluster jujucharms 278 ubuntu
percona-cluster-zesty 5.6.37-26.21 active 3 percona-cluster jujucharms 256 ubuntu

Unit Workload Agent Machine Public address Ports Message
percona-cluster-artful/0* active idle 0 10.5.0.28 3306/tcp Unit is ready
percona-cluster-artful/1 active idle 1 10.5.0.35 3306/tcp Unit is ready
percona-cluster-artful/2 active idle 2 10.5.0.3 3306/tcp Unit is ready
percona-cluster-xenial/0 active idle 3 10.5.0.43 3306/tcp Unit is ready
percona-cluster-xenial/1 active idle 4 10.5.0.11 3306/tcp Unit is ready
percona-cluster-xenial/2* active idle 5 10.5.0.7 3306/tcp Unit is ready
percona-cluster-zesty/0 active idle 6 10.5.0.29 3306/tcp Unit is ready
percona-cluster-zesty/1* active idle 7 10.5.0.4 3306/tcp Unit is ready
percona-cluster-zesty/2 active idle 8 10.5.0.17 3306/tcp Unit is ready

Machine State DNS Inst id Series AZ Message
0 started 10.5.0.28 0009d493-08b4-4d90-8e80-489a35cdc0d1 artful nova ACTIVE
1 started 10.5.0.35 90aef5f8-28cc-4a03-afdf-d8f06d3d9d55 artful nova ACTIVE
2 started 10.5.0.3 008eee4f-bd01-486b-a4af-ddd8d37bab94 artful nova ACTIVE
3 started 10.5.0.43 c0a74321-bea1-4ea1-85e3-9094add314cc xenial nova ACTIVE
4 started 10.5.0.11 27e3ac73-72d4-437b-8c73-116c8cc8783d xenial nova ACTIVE
5 started 10.5.0.7 1c830d03-b8b7-4378-ab8d-760b14890941 xenial nova ACTIVE
6 started 10.5.0.29 4494afaf-7627-402f-bfe5-5a0979d2dc60 zesty nova ACTIVE
7 started 10.5.0.4 55a0afc8-cb7b-45f1-a3cd-190a259225b6 zesty nova ACTIVE
8 started 10.5.0.17 e0c72022-d4f1-4e4f-8476-53ea207184e7 zesty nova ACTIVE

Relation provider Requirer Interface Type Message
percona-cluster-artful:cluster percona-cluster-artful:cluster percona-cluster peer
percona-cluster-xenial:cluster percona-cluster-xenial:cluster percona-cluster peer
percona-cluster-zesty:cluster percona-cluster-zesty:cluster percona-cluster peer

Deployed units upgraded from existing pxc in archive OK; resyncing with other units as part of the startup process.

The update for zesty also includes the fix for bug 1728132 which Brian accepted into artful-proposed last week - just need to figure out the best way to deal with that and then I believe this security update is ready to go.

James Page (james-page) wrote :

jamespage> James Page I've valided the security updates on artful, which also confirmed bug 1728132 is resolved
15:16 bdmurray: is the best way forward to remove the update from artful-proposed, and just go with whats in security-proposed for artful?
15:49
<apw> jamespage, are the versions sanely disjoint ?
15:50
<jamespage> James Page apw: not sure I understand your question?
15:50
<apw> the version in the security-proposed, that isn't the same as what you did, it is lower or higher, or whatever
15:50
<jamespage> James Page the versions in security-proposed dtrt with regards to moving forwards from the version in artful (indeed its included in the changelog as well)
15:51 version in artful-proposed
15:51 apw: on normal mysql style, the security updates include upstream version bumps...
15:52
<apw> jamespage, ok so when they release that i assume your -proposed will be lower version and automatically on our list to reap
15:52
<jamespage> James Page (artful-proposed) 5.6.34-26.19-0ubuntu4.17.10.1 -> (security-arful-proposed) 5.6.37-26.21-0ubuntu0.17.10.1
15:53 5.6.37-26.21-0ubuntu0.17.10.1 includes the changes made at 5.6.34-26.19-0ubuntu4.17.10.1
15:53
<apw> then i think you can just let security do their thing and release it
15:54
<jamespage> James Page apw: that will rollup all of the security + artful-proposed goodness

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu0.17.04.1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu0.17.04.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.
    - d/p/error-uninitialized.patch: Resolve build failure on 32 bit
      archs due to -Werror=uninitialized.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:18:02 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Zesty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu0.16.04.1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:19:12 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu0.17.04.1

---------------
percona-galera-3 (3.21-0ubuntu0.17.04.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Update to 3.21 to support security updates
    for percona-xtradb-server-5.6 (LP: #1735691).
    - d/p/gcc5.diff: Rebase.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:10:57 +0000

Changed in percona-galera-3 (Ubuntu Zesty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-xtradb-cluster-5.6 - 5.6.37-26.21-0ubuntu0.17.10.1

---------------
percona-xtradb-cluster-5.6 (5.6.37-26.21-0ubuntu0.17.10.1) artful-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.37-26.21 to fix security issues
    (LP: #1735691):
    - CVE-2016-5617
    - CVE-2016-8327
    - CVE-2017-15365
    - CVE-2017-3238
    - CVE-2017-3244
    - CVE-2017-3251
    - CVE-2017-3256
    - CVE-2017-3257
    - CVE-2017-3258
    - CVE-2017-3265
    - CVE-2017-3273
    - CVE-2017-3291
    - CVE-2017-3305
    - CVE-2017-3308
    - CVE-2017-3309
    - CVE-2017-3313
    - CVE-2017-3317
    - CVE-2017-3318
    - CVE-2017-3329
    - CVE-2017-3450
    - CVE-2017-3452
    - CVE-2017-3453
    - CVE-2017-3461
    - CVE-2017-3462
    - CVE-2017-3463
    - CVE-2017-3464
    - CVE-2017-3599
    - CVE-2017-3600
    - d/control: Bump minimum galera version to 3.21.
    - d/p/error-uninitialized.patch: Resolve build failure on 32 bit
      archs due to -Werror=uninitialized.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:16:44 +0000

Changed in percona-xtradb-cluster-5.6 (Ubuntu Artful):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu0.16.04.1

---------------
percona-galera-3 (3.21-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 3.21 to support security updates
    for percona-xtradb-server-5.6 (LP: #1735691).
    - d/p/gcc5.diff: Rebase.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:10:31 +0000

Changed in percona-galera-3 (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package percona-galera-3 - 3.21-0ubuntu0.17.10.1

---------------
percona-galera-3 (3.21-0ubuntu0.17.10.1) artful-security; urgency=medium

  * SECURITY UPDATE: Update to 3.21 to support security updates
    for percona-xtradb-server-5.6 (LP: #1735691).
    - d/p/gcc5.diff: Rebase.
  * d/rules,control: Force use of gcc-6 for compilation, aligning
    with pxc-5.6.

 -- James Page <email address hidden> Mon, 04 Dec 2017 09:11:14 +0000

Changed in percona-galera-3 (Ubuntu Artful):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers