Ubuntu
mariadb-10.1 package

USN-3174-1: partially applies to MariaDB too

  1. Zesty (17.04)
  2. Bug #1657594
Bug #1657594 reported by Otto Kekäläinen
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Xenial
Fix Released
Medium
Unassigned
Yakkety
Fix Released
Medium
Unassigned
mariadb-10.1 (Ubuntu)
Fix Released
Medium
Unassigned
Zesty
Fix Released
Medium
Unassigned
mariadb-5.5 (Ubuntu)
Trusty
Fix Released
Medium
Unassigned

Bug Description

https://www.ubuntu.com/usn/usn-3174-1/

The security notice above also affect MariaDB and the latest release includes fixes.

I will produce a security release soon and attach more information to this bug report for:
 - mariadb.5.5 in Trusty
 - mariadb-10.0 in Xenial and Yakkety (zesty can sync from Debian)

See original description
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?h=ubuntu-14.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.0 series updates for 16.04 and 16.10 are now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 and ubuntu-16.10 branches at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all for Yakkety.

I was unable to run test builds for Xenial because the repo ran out of space and there is nothing suitable to delete to free some space. My request for more space at https://answers.launchpad.net/launchpad/+question/440393 has not been answered yet.

Revision history for this message
Otto Kekäläinen (otto) wrote :

As a reminder, debdiffs can be browsed directly from the repo like this:

https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/diff/debian/?id=ubuntu/10.0.29-0ubuntu0.16.04.1&id2=ubuntu/10.0.28-0ubuntu0.16.04.1

https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/diff/debian/?id=ubuntu/10.0.29-0ubuntu0.16.10.1&id2=ubuntu/10.0.28-0ubuntu0.16.10.1

Or in a local clone with 'git diff <tag1>..<tag2> debian/'

Revision history for this message
Otto Kekäläinen (otto) wrote :

Zesty should be fixed by importing latest mariadb-10.1 10.1.21 from Debian unstable once available.

no longer affects: mariadb-10.0 (Ubuntu Trusty)
no longer affects: mariadb-10.1 (Ubuntu Trusty)
no longer affects: mariadb-10.1 (Ubuntu Xenial)
no longer affects: mariadb-10.1 (Ubuntu Yakkety)
no longer affects: mariadb-5.5 (Ubuntu Zesty)
no longer affects: mariadb-5.5 (Ubuntu Yakkety)
no longer affects: mariadb-5.5 (Ubuntu Xenial)
Tyler Hicks (tyhicks)
summary: - Recent MySQL vulnerabilities partially applies to MariaDB too
+ [USN-3174-1] partially applies to MariaDB too
summary: - [USN-3174-1] partially applies to MariaDB too
+ USN-3174-1: partially applies to MariaDB too
description: updated
Mathew Hodson (mhodson)
no longer affects: mariadb-5.5 (Ubuntu)
Mathew Hodson (mhodson)
Changed in mariadb-10.0 (Ubuntu Xenial):
importance: Undecided → Medium
Changed in mariadb-10.0 (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in mariadb-10.0 (Ubuntu Zesty):
importance: Undecided → Medium
Changed in mariadb-5.5 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in mariadb-10.1 (Ubuntu Zesty):
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the branches, ACK. Packages are building now and will be published when done.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.54-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.54-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.54. Includes fixes for the
    following security vulnerabilities (LP: #1657594):
    - CVE-2017-3318
    - CVE-2017-3317
    - CVE-2017-3312
    - CVE-2017-3291
    - CVE-2017-3265
    - CVE-2017-3258
    - CVE-2017-3244
    - CVE-2017-3243
    - CVE-2017-3238
    - CVE-2016-6664

 -- Otto Kekäläinen <email address hidden> Thu, 19 Jan 2017 00:46:44 +0200

Changed in mariadb-5.5 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.29-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.29-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.29. Includes fixes for the
    following security vulnerabilities (LP: #1657594):
    - CVE-2017-3318
    - CVE-2017-3317
    - CVE-2017-3312
    - CVE-2017-3291
    - CVE-2017-3265
    - CVE-2017-3258
    - CVE-2017-3257
    - CVE-2017-3244
    - CVE-2017-3243
    - CVE-2017-3238
    - CVE-2016-6664

 -- Otto Kekäläinen <email address hidden> Thu, 19 Jan 2017 08:58:35 +0200

Changed in mariadb-10.0 (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.29-0ubuntu0.16.10.1

---------------
mariadb-10.0 (10.0.29-0ubuntu0.16.10.1) yakkety-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.29. Includes fixes for the
    following security vulnerabilities (LP: #1657594):
    - CVE-2017-3318
    - CVE-2017-3317
    - CVE-2017-3312
    - CVE-2017-3291
    - CVE-2017-3265
    - CVE-2017-3258
    - CVE-2017-3257
    - CVE-2017-3244
    - CVE-2017-3243
    - CVE-2017-3238
    - CVE-2016-6664

 -- Otto Kekäläinen <email address hidden> Thu, 19 Jan 2017 00:32:48 +0200

Changed in mariadb-10.0 (Ubuntu Yakkety):
status: New → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

mariadb-10.1 10.1.21-5 has made it into zesty, which addresses the CVEs here, closing that task.

Changed in mariadb-10.1 (Ubuntu Zesty):
status: New → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

mariadb-10.0 has been pulled from zesty (in favor of mariadb-10.1), marking that task invalid.

Thanks!

Changed in mariadb-10.0 (Ubuntu Zesty):
status: New → Invalid
Mathew Hodson (mhodson)
no longer affects: mariadb-10.0 (Ubuntu)
no longer affects: mariadb-10.0 (Ubuntu Zesty)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.