USN-2881-1: MySQL vulnerabilities also apply to MariaDB
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | mariadb-10.0 (Ubuntu) |
Medium
|
Unassigned | ||
| | Vivid |
Medium
|
Steve Beattie | ||
| | Wily |
Medium
|
Steve Beattie | ||
Bug Description
The mentioned security notice also affect MariaDB and the latest release includes fixes.
For trusty I already did mariadb-5.5.47 on December 10th:
https:/
Nobody uploaded it despite that it is a point release with MRE granted. Can you
upload it now?
For wily and vivid I'll prepare mariadb-10.0 version 10.0.23 now and attach as patches to this bug report.
Xenial already got 10.0.23 automatically from Debian testing/sid.
| Otto Kekäläinen (otto) wrote : | #1 |
| information type: | Private Security → Public Security |
| Changed in mariadb-10.0 (Ubuntu): | |
| importance: | Undecided → Medium |
| Otto Kekäläinen (otto) wrote : | #2 |
Note that http://
| Steve Beattie (sbeattie) wrote : | #3 |
Thanks for preparing this.
| Changed in mariadb-10.0 (Ubuntu): | |
| status: | New → Fix Released |
| Changed in mariadb-10.0 (Ubuntu Vivid): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Changed in mariadb-10.0 (Ubuntu Wily): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Steve Beattie (sbeattie) wrote : | #4 |
I've uploaded your mariadb-10.0 packages to the ubuntu-
| Steve Beattie (sbeattie) wrote : | #5 |
Bah, sorry, wrong URL for the ppa, it's at https:/
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package mariadb-10.0 - 10.0.23-
---------------
mariadb-10.0 (10.0.23-
* SECURITY UPDATE: Update to 10.0.23 fixes security issues (LP: #1538315):
- CVE-2016-2047
- CVE-2016-0616
- CVE-2016-0609
- CVE-2016-0608
- CVE-2016-0606
- CVE-2016-0600
- CVE-2016-0598
- CVE-2016-0597
- CVE-2016-0596
- CVE-2016-0546
- CVE-2016-0505
* Update TokuDB plugin install and copyright paths to match latest
release done under Percona ownership
-- Otto Kekäläinen <email address hidden> Tue, 26 Jan 2016 23:59:51 +0200
| Changed in mariadb-10.0 (Ubuntu Wily): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package mariadb-10.0 - 10.0.23-
---------------
mariadb-10.0 (10.0.23-
* SECURITY UPDATE: Update to 10.0.23 fixes security issues (LP: #1538315):
- CVE-2016-2047
- CVE-2016-0616
- CVE-2016-0609
- CVE-2016-0608
- CVE-2016-0606
- CVE-2016-0600
- CVE-2016-0598
- CVE-2016-0597
- CVE-2016-0596
- CVE-2016-0546
- CVE-2016-0505
* Update TokuDB plugin install and copyright paths to match latest
release done under Percona ownership
-- Otto Kekäläinen <email address hidden> Tue, 26 Jan 2016 23:59:51 +0200
| Changed in mariadb-10.0 (Ubuntu Vivid): | |
| status: | In Progress → Fix Released |
Use uscan to get new upstream sources downloaded and signature verified automatically.
Remove the upstream provided debian/ directory and add the debian/* contents from the latest Ubuntu package.
Then apply the attached debdiff that updates the changelog and refreshes patches to match new upstream release.
Debdiff was created with command "git diff ubuntu/
As the MariaDB version in vivid and wily is identical, this same patch can basically be applied on both (just adjust the release name).
Please check the excellent Debian CVE trackers for details about which CVE applies to which package. Note in particular that MariaDB 10.0.23 has this fixed but it still goes unfixed in MySQL releases: https:/