Bug 14304

Summary: mariadb new security issues fixed in 5.5.40
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: alien, oe, rverschelde, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/616447/
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK MGA3-64-OK advisory
Source RPM: mariadb-5.5.39-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-10-16 16:57:23 CEST 
Ubuntu has issued an advisory on October 15:
http://www.ubuntu.com/usn/usn-2384-1/

The CVEs are also covered in the latest Oracle Critical Patch Update, along with Java:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

I'm assuming that some or all of these issues are also fixed in MariaDB 5.5.38:
https://blog.mariadb.org/mariadb-5-5-40-now-available/

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-16 16:57:29 CEST

Whiteboard: (none) => MGA3TOO

David Walser 2014-10-16 16:58:44 CEST

CC: (none) => oe

David Walser 2014-10-16 18:03:42 CEST

URL: (none) => http://lwn.net/Vulnerabilities/616447/

Comment 1 Oden Eriksson 2014-10-23 15:23:20 CEST 
According to the changlog here:

https://mariadb.com/kb/en/mariadb/development/release-notes/mariadb-5540-release-notes/

The following CVEs has been fixed:

CVE-2014-6507
CVE-2014-6491
CVE-2014-6500
CVE-2014-6469
CVE-2014-6555
CVE-2014-6559
CVE-2014-6494
CVE-2014-6496
CVE-2014-6464

As usual not so informative CVE descriptions.
Comment 2 Oden Eriksson 2014-10-23 15:24:05 CEST 
mariadb-5.5.40-1.mga3 + mariadb-5.5.40-1.mga4 has been submitted.
Comment 3 Oden Eriksson 2014-10-23 15:27:46 CEST 
The ubuntu advisory (usn-2384-1) also lists these CVEs:

CVE-2012-5615
CVE-2014-4274
CVE-2014-4287
CVE-2014-6463
CVE-2014-6478
CVE-2014-6484
CVE-2014-6495
CVE-2014-6505
CVE-2014-6520
CVE-2014-6530
CVE-2014-6551
Comment 4 Oden Eriksson 2014-10-23 15:36:13 CEST 
(In reply to Oden Eriksson from comment #3)
> The ubuntu advisory (usn-2384-1) also lists these CVEs:
> 
> CVE-2012-5615
> CVE-2014-4274
> CVE-2014-4287
> CVE-2014-6463
> CVE-2014-6478
> CVE-2014-6484
> CVE-2014-6495
> CVE-2014-6505
> CVE-2014-6520
> CVE-2014-6530
> CVE-2014-6551

I'm assuming these were fixed with mariadb-5.5.38? But then the 
MGASA-2014-0299 advisory does not match.
Comment 5 David Walser 2014-10-23 16:29:34 CEST 
(In reply to Oden Eriksson from comment #4)
> (In reply to Oden Eriksson from comment #3)
> > The ubuntu advisory (usn-2384-1) also lists these CVEs:
> > 
> > CVE-2012-5615
> > CVE-2014-4274
> > CVE-2014-4287
> > CVE-2014-6463
> > CVE-2014-6478
> > CVE-2014-6484
> > CVE-2014-6495
> > CVE-2014-6505
> > CVE-2014-6520
> > CVE-2014-6530
> > CVE-2014-6551
> 
> I'm assuming these were fixed with mariadb-5.5.38? But then the 
> MGASA-2014-0299 advisory does not match.

Those would have been fixed in 5.5.39 then.  No information was available at the time, so they were not included in the advisory.
Comment 6 David Walser 2014-10-23 16:30:41 CEST 
Updated packages uploaded by Oden for Mageia 3 and Mageia 4.

Advisory to come later.

Updated packages in core/updates_testing:
========================
mariadb-5.5.40-1.mga3
mysql-MariaDB-5.5.40-1.mga3
mariadb-feedback-5.5.40-1.mga3
mariadb-extra-5.5.40-1.mga3
mariadb-obsolete-5.5.40-1.mga3
mariadb-core-5.5.40-1.mga3
mariadb-common-core-5.5.40-1.mga3
mariadb-common-5.5.40-1.mga3
mariadb-client-5.5.40-1.mga3
mariadb-bench-5.5.40-1.mga3
libmariadb18-5.5.40-1.mga3
libmariadb-devel-5.5.40-1.mga3
libmariadb-embedded18-5.5.40-1.mga3
libmariadb-embedded-devel-5.5.40-1.mga3
mariadb-5.5.40-1.mga4
mysql-MariaDB-5.5.40-1.mga4
mariadb-feedback-5.5.40-1.mga4
mariadb-extra-5.5.40-1.mga4
mariadb-obsolete-5.5.40-1.mga4
mariadb-core-5.5.40-1.mga4
mariadb-common-core-5.5.40-1.mga4
mariadb-common-5.5.40-1.mga4
mariadb-client-5.5.40-1.mga4
mariadb-bench-5.5.40-1.mga4
libmariadb18-5.5.40-1.mga4
libmariadb-devel-5.5.40-1.mga4
libmariadb-embedded18-5.5.40-1.mga4
libmariadb-embedded-devel-5.5.40-1.mga4

from SRPMS:
mariadb-5.5.40-1.mga3.src.rpm
mariadb-5.5.40-1.mga4.src.rpm

CC: (none) => alien
Assignee: alien => qa-bugs

Comment 7 Shlomi Fish 2014-10-24 16:05:06 CEST 
Procedure is here:

https://bugs.mageia.org/show_bug.cgi?id=14015

Tested fine on mga4-64-OK.

CC: (none) => shlomif
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK has_procedure

Comment 8 Shlomi Fish 2014-10-24 16:24:52 CEST 
MGA4-32-OK.

Whiteboard: MGA3TOO MGA4-64-OK has_procedure => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure

Comment 9 Shlomi Fish 2014-10-24 16:51:03 CEST 
Tested on MGA3-32- - everything is fine.

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK

Comment 10 Shlomi Fish 2014-10-24 17:02:33 CEST 
MGA3-64-OK .

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK MGA3-64-OK

Comment 12 RĂ©mi Verschelde 2014-10-24 17:57:33 CEST 
Advisory uploaded. Validating, please push mariadb to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 13 Mageia Robot 2014-10-25 22:23:43 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0424.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 David Walser 2014-11-21 19:08:51 CET 
This also should have fixed CVE-2014-6564, according to Oracle:
http://lwn.net/Vulnerabilities/622622/