Bug 13256

Summary:	mariadb new security issues fixed in 5.5.37
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	lewyssmith, rverschelde, sysadmin-bugs, tmb, wilcal.int
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/595784/
Whiteboard:	MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisory
Source RPM:	mariadb-5.5.36-1.mga3.src.rpm	CVE:
Status comment:

Description David Walser 2014-04-23 18:23:41 CEST

Ubuntu has issued an advisory today (April 23):
http://www.ubuntu.com/usn/usn-2170-1/

The CVEs are also covered in the latest Oracle Critical Patch Update, along with Java:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

I'm assuming that some or all of these issues are also fixed in MariaDB 5.5.37:
https://blog.mariadb.org/mariadb-5-5-37-now-available/

Looks like they're mostly minor issues except for CVE-2014-2436 and CVE-2014-2440

Reproducible: 

Steps to Reproduce:

David Walser 2014-04-23 18:23:46 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Thomas Backlund 2014-05-17 11:37:55 CEST

in progress...

CC: (none) => tmb

Comment 2 Thomas Backlund 2014-05-17 12:29:10 CEST

Seems oden built 5.5.37 for mga3 on April 18th

so rpms to test:

mga3:

SRPM:
mariadb-5.5.37-1.mga3.src.rpm

i586:
libmariadb18-5.5.37-1.mga3.i586.rpm
libmariadb-devel-5.5.37-1.mga3.i586.rpm
libmariadb-embedded18-5.5.37-1.mga3.i586.rpm
libmariadb-embedded-devel-5.5.37-1.mga3.i586.rpm
mariadb-5.5.37-1.mga3.i586.rpm
mariadb-bench-5.5.37-1.mga3.i586.rpm
mariadb-client-5.5.37-1.mga3.i586.rpm
mariadb-common-5.5.37-1.mga3.i586.rpm
mariadb-common-core-5.5.37-1.mga3.i586.rpm
mariadb-core-5.5.37-1.mga3.i586.rpm
mariadb-extra-5.5.37-1.mga3.i586.rpm
mariadb-feedback-5.5.37-1.mga3.i586.rpm
mariadb-obsolete-5.5.37-1.mga3.i586.rpm
mysql-MariaDB-5.5.37-1.mga3.i586.rpm

x86_64:
lib64mariadb18-5.5.37-1.mga3.x86_64.rpm
lib64mariadb-devel-5.5.37-1.mga3.x86_64.rpm
lib64mariadb-embedded18-5.5.37-1.mga3.x86_64.rpm
lib64mariadb-embedded-devel-5.5.37-1.mga3.x86_64.rpm
mariadb-5.5.37-1.mga3.x86_64.rpm
mariadb-bench-5.5.37-1.mga3.x86_64.rpm
mariadb-client-5.5.37-1.mga3.x86_64.rpm
mariadb-common-5.5.37-1.mga3.x86_64.rpm
mariadb-common-core-5.5.37-1.mga3.x86_64.rpm
mariadb-core-5.5.37-1.mga3.x86_64.rpm
mariadb-extra-5.5.37-1.mga3.x86_64.rpm
mariadb-feedback-5.5.37-1.mga3.x86_64.rpm
mariadb-obsolete-5.5.37-1.mga3.x86_64.rpm
mysql-MariaDB-5.5.37-1.mga3.x86_64.rpm



mga4:

SRPM:
mariadb-5.5.37-1.mga4.src.rpm

i586:
libmariadb18-5.5.37-1.mga4.i586.rpm
libmariadb-devel-5.5.37-1.mga4.i586.rpm
libmariadb-embedded18-5.5.37-1.mga4.i586.rpm
libmariadb-embedded-devel-5.5.37-1.mga4.i586.rpm
mariadb-5.5.37-1.mga4.i586.rpm
mariadb-bench-5.5.37-1.mga4.i586.rpm
mariadb-client-5.5.37-1.mga4.i586.rpm
mariadb-common-5.5.37-1.mga4.i586.rpm
mariadb-common-core-5.5.37-1.mga4.i586.rpm
mariadb-core-5.5.37-1.mga4.i586.rpm
mariadb-extra-5.5.37-1.mga4.i586.rpm
mariadb-feedback-5.5.37-1.mga4.i586.rpm
mariadb-obsolete-5.5.37-1.mga4.i586.rpm
mysql-MariaDB-5.5.37-1.mga4.i586.rpm

x86_64:
lib64mariadb18-5.5.37-1.mga4.x86_64.rpm
lib64mariadb-devel-5.5.37-1.mga4.x86_64.rpm
lib64mariadb-embedded18-5.5.37-1.mga4.x86_64.rpm
lib64mariadb-embedded-devel-5.5.37-1.mga4.x86_64.rpm
mariadb-5.5.37-1.mga4.x86_64.rpm
mariadb-bench-5.5.37-1.mga4.x86_64.rpm
mariadb-client-5.5.37-1.mga4.x86_64.rpm
mariadb-common-5.5.37-1.mga4.x86_64.rpm
mariadb-common-core-5.5.37-1.mga4.x86_64.rpm
mariadb-core-5.5.37-1.mga4.x86_64.rpm
mariadb-extra-5.5.37-1.mga4.x86_64.rpm
mariadb-feedback-5.5.37-1.mga4.x86_64.rpm
mariadb-obsolete-5.5.37-1.mga4.x86_64.rpm
mysql-MariaDB-5.5.37-1.mga4.x86_64.rpm

Assignee: alien => qa-bugs

Comment 3 David Walser 2014-05-17 12:49:55 CEST

Thanks Thomas!

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote
authenticated users to affect availability via vectors related to XML
(CVE-2014-0384).

Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier
and 5.6.15 and earlier allows remote authenticated users to affect
availability via unknown vectors related to Partition (CVE-2014-2419).

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier
and 5.6.16 and earlier allows remote authenticated users to affect
availability via unknown vectors related to Performance Schema
(CVE-2014-2430).

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier
and 5.6.16 and earlier allows remote attackers to affect availability
via unknown vectors related to Options (CVE-2014-2431).

Unspecified vulnerability Oracle the MySQL Server component 5.5.35
and earlier and 5.6.15 and earlier allows remote authenticated users
to affect availability via unknown vectors related to Federated
(CVE-2014-2432).

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier
and 5.6.16 and earlier allows remote authenticated users to affect
confidentiality, integrity, and availability via vectors related to
RBR (CVE-2014-2436).

Unspecified vulnerability in Oracle MySQL Server 5.5.35 and
earlier and 5.6.15 and earlier allows remote authenticated users
to affect availability via unknown vectors related to Replication
(CVE-2014-2438).

Unspecified vulnerability in the MySQL Client component in Oracle MySQL
5.5.36 and earlier and 5.6.16 and earlier allows remote attackers
to affect confidentiality, integrity, and availability via unknown
vectors (CVE-2014-2440).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2440
https://mariadb.com/kb/en/mariadb-5537-changelog/
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:102/

Comment 4 Lewis Smith 2014-05-20 21:05:37 CEST

Testing MGA4 64-bit real h/w.

Updated from Updates Testing:-
 mariadb-5.5.37-1.mga4
 mariadb-client-5.5.37-1.mga4
 mariadb-extra-5.5.37-1.mga4
 mariadb-core-5.5.37-1.mga4
 mariadb-common-5.5.37-1.mga4
 lib64mariadb-embedded18-5.5.37-1.mga4
 mariadb-common-core-5.5.37-1.mga4
Played with Moodle & PHPmyadmin, these simple things revealed nothing nasty. (Alas have lost details for egroupware to try that as well, but never got it set up initially).
Am OK-ing this update.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 5 David Walser 2014-05-23 14:29:20 CEST

Running fine on our MediaWiki and Moodle servers here at work (Mageia 4 i586).

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 6 William Kenney 2014-05-23 19:51:50 CEST

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin

Setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testmaria
[root@localhost wilcal]# mysqladmin -u root password
type password "testmaria" twice

default install of mariadb

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.36-1.mga3.x86_64 is already installed

localhost/phpmyadmin works

install package from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.37-1.mga3.i586 is already installed

localhost/phpmyadmin works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA4-64-OK MGA4-32-OK

Comment 7 William Kenney 2014-05-23 19:53:13 CEST

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
mariadb phpmyadmin

Setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testmaria
[root@localhost wilcal]# mysqladmin -u root password
type password "testmaria" twice

default install of mariadb

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.36-1.mga3.i586 is already installed

localhost/phpmyadmin works

install package from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.37-1.mga3.x86_64 is already installed

localhost/phpmyadmin works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK

Comment 8 William Kenney 2014-05-23 19:54:13 CEST

For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
If everyone is happy lets Validate this update.

Comment 9 Rémi Verschelde 2014-05-24 02:05:24 CEST

Validating update, advisory has been uploaded.

Please push mariadb to 3 & 4 core/updates. Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 10 Thomas Backlund 2014-05-24 09:29:45 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2014-0239.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED