mysql 5.5.46, 5.6.27 security update tracking bug

Bug #1508441 reported by Marc Deslauriers on 2015-10-21
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.5 (Ubuntu)
Undecided
Unassigned
Precise
Medium
Marc Deslauriers
Trusty
Medium
Marc Deslauriers
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
mysql-5.6 (Ubuntu)
Medium
Marc Deslauriers
Precise
Undecided
Unassigned
Trusty
Medium
Unassigned
Vivid
Medium
Marc Deslauriers
Wily
Medium
Marc Deslauriers
Changed in mysql-5.5 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.5 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.5 (Ubuntu Vivid):
status: New → Invalid
Changed in mysql-5.5 (Ubuntu Wily):
status: New → Invalid
Changed in mysql-5.6 (Ubuntu Precise):
status: New → Invalid
Changed in mysql-5.6 (Ubuntu Trusty):
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.6 (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.6 (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.46-0ubuntu0.12.04.2

---------------
mysql-5.5 (5.5.46-0ubuntu0.12.04.2) precise-security; urgency=medium

  * SECURITY UPDATE: Update to 5.5.46 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4792
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4864
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/revert_atomic.patch: fix ftbfs on arm and powerpc by
    reverting to __sync_lock_test_and_set.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 11:42:06 -0400

Changed in mysql-5.5 (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.6 - 5.6.27-0ubuntu1

---------------
mysql-5.6 (5.6.27-0ubuntu1) wily-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.27 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4730
    - CVE-2015-4766
    - CVE-2015-4792
    - CVE-2015-4800
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4833
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4862
    - CVE-2015-4864
    - CVE-2015-4866
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4890
    - CVE-2015-4895
    - CVE-2015-4904
    - CVE-2015-4910
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/arch-specific/*, debian/patches/rules: dropped
    arch-specific patches for full memory barrier support, equivalent now
    upstream.
  * debian/control: drop quilt from Build-Depends, no longer needed.
  * debian/rules: remove -fno-exceptions to fix ftbfs with new version.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 08:35:53 -0400

Changed in mysql-5.6 (Ubuntu Wily):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.6 - 5.6.27-0ubuntu0.15.04.1

---------------
mysql-5.6 (5.6.27-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.27 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4730
    - CVE-2015-4766
    - CVE-2015-4792
    - CVE-2015-4800
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4833
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4862
    - CVE-2015-4864
    - CVE-2015-4866
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4890
    - CVE-2015-4895
    - CVE-2015-4904
    - CVE-2015-4910
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/arch-specific/*, debian/patches/rules: dropped
    arch-specific patches for full memory barrier support, equivalent now
    upstream.
  * debian/control: drop quilt from Build-Depends, no longer needed.
  * debian/rules: remove -fno-exceptions to fix ftbfs with new version.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 09:39:27 -0400

Changed in mysql-5.6 (Ubuntu Vivid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.46-0ubuntu0.14.04.2

---------------
mysql-5.5 (5.5.46-0ubuntu0.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Update to 5.5.46 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4792
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4864
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/arch-specific/*, debian/patches/rules: dropped
    arch-specific patches for full memory barrier support, equivalent now
    upstream.
  * debian/control: drop quilt from Build-Depends, no longer needed.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 07:14:11 -0400

Changed in mysql-5.5 (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.6 - 5.6.27-0ubuntu0.14.04.1

---------------
mysql-5.6 (5.6.27-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.27 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/rules: remove -fno-exceptions to fix ftbfs with new version.
  * debian/rules: fix ftbfs by building the sql directory first so the
    required files are generated.

 -- Marc Deslauriers <email address hidden> Mon, 26 Oct 2015 10:44:28 -0400

Changed in mysql-5.6 (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in mysql-5.6 (Ubuntu):
status: Confirmed → Fix Released
Tsukasa (tsukasa1105) wrote :

Possible regression. I have vagrant -> puppet setting up ubuntu 14.04 from scratch on a semi-regular basis. After the package was released I see this:

==> one: Setting up mysql-server-core-5.6 (5.6.27-0ubuntu0.14.04.1) ...
==> one: Setting up mysql-server-5.6 (5.6.27-0ubuntu0.14.04.1) ...
==> one: start: Job failed to start
==> one: invoke-rc.d: initscript mysql, action "start" failed.
==> one: dpkg: error processing package mysql-server-5.6 (--configure):
==> one: subprocess installed post-installation script returned error exit status 1

After I SSH into the box and run it manually:

# /etc/init.d/mysql start
 * Starting MySQL database server mysqld
No directory, logging in with HOME=/
-su: 31: source: not found
   ...done.
 * Checking for tables which need an upgrade, are corrupt or were
not closed cleanly.

Then mysql server runs correctly.

More info:

# apt-cache policy mysql-server-5.6
mysql-server-5.6:
  Installed: 5.6.27-0ubuntu0.14.04.1
  Candidate: 5.6.27-0ubuntu0.14.04.1
  Version table:
 *** 5.6.27-0ubuntu0.14.04.1 0
        500 http://mirrors.linode.com/ubuntu/ trusty-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     5.6.25-3+deb.sury.org~trusty+1 0
        500 http://ppa.launchpad.net/ondrej/mysql-5.6/ubuntu/ trusty/main amd64 Packages
     5.6.16-1~exp1 0
        500 http://mirrors.linode.com/ubuntu/ trusty/universe amd64 Packages

Marc Deslauriers (mdeslaur) wrote :

I can't reproduce that failure, could you please attach your /var/log/dpkg.log file?

Tsukasa (tsukasa1105) wrote :
Download full text (88.2 KiB)

Sure.

2015-10-28 17:24:22 startup archives unpack
2015-10-28 17:24:22 upgrade curl:amd64 7.35.0-1ubuntu2.1 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status half-configured curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status half-installed curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status triggers-pending man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 status half-installed curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status unpacked curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 upgrade libcurl3:amd64 7.35.0-1ubuntu2.1 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status half-configured libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status half-installed libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status half-installed libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 trigproc man-db:amd64 2.6.7.1-1ubuntu1 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 status half-configured man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 status installed man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 startup packages configure
2015-10-28 17:24:23 configure libcurl3:amd64 7.35.0-1ubuntu2.5 <none>
2015-10-28 17:24:23 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status half-configured libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status installed libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status triggers-pending libc-bin:amd64 2.19-0ubuntu6.3
2015-10-28 17:24:23 configure curl:amd64 7.35.0-1ubuntu2.5 <none>
2015-10-28 17:24:23 status unpacked curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status half-configured curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status installed curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 trigproc libc-bin:amd64 2.19-0ubuntu6.3 <none>
2015-10-28 17:24:23 status half-configured libc-bin:amd64 2.19-0ubuntu6.3
2015-10-28 17:24:23 status installed libc-bin:amd64 2.19-0ubuntu6.3
2015-10-28 17:24:24 startup archives unpack
2015-10-28 17:24:24 install liberror-perl:all <none> 0.17-1.1
2015-10-28 17:24:24 status half-installed liberror-perl:all 0.17-1.1
2015-10-28 17:24:24 status triggers-pending man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:24 status unpacked liberror-perl:all 0.17-1.1
2015-10-28 17:24:24 status unpacked liberror-perl:all 0.17-1.1
2015-10-28 17:24:24 install git-man:all <none> 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status half-installed git-man:all 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status unpacked git-man:all 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status unpacked git-man:all 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 install git:amd64 <none> 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status half-installed git:amd64 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:25 status unpacked git:amd64 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:25 status unpacked git:amd64 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:25 install git-core:all <none> 1:1.9.1-1ubuntu0...

Marc Deslauriers (mdeslaur) wrote :

Looks like you upgraded from a version that wasn't in the archive, namely 5.6.25-3+deb.sury.org~trusty+1.
Are you able to reproduce the issue in a clean install without that unofficial package?

Tsukasa (tsukasa1105) wrote :

I believe that package would be in the default distribution image for linode (as it is a fresh image from their fresh image).

Should I contact the Linode package managers and/or force an uninstall somehow?

Tsukasa (tsukasa1105) wrote :

Got it fixed by removing the PPA for deb.sury.org. I also notified the maintainer of this issue.

For those having the same issue and are using puphpet, this repository is enabled by default. I modified puphpet/puppet/modules/puphpet/manifests/mysql/repo.pp and changed the file to:

class puphpet::mysql::repo(
  $version
) {
}

to remove the repository and it was fixed for me.

Thanks

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers