Bug 16146

Summary:	mariadb 5.5.44 and 10.0.20 (fixes CVE-2015-3152)
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	major
Priority:	Normal	CC:	alien, davidwhodgins, herman.viaene, oe, shlomif, sysadmin-bugs, wilcal.int
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/650296/
Whiteboard:	MGA4TOO advisory MGA4-64-OK MGA4-32-OK MGA5-32-OK MGA5-64-OK
Source RPM:	mariadb-10.0.19-1.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2015-06-19 13:52:27 CEST

MariaDB 5.5.44 and 10.0.20 have been released on June 11 and June 18:
https://blog.mariadb.org/mariadb-5-5-44-now-available/
https://blog.mariadb.org/mariadb-10-0-20-now-available/

We should update them as usual.

Reproducible: 

Steps to Reproduce:

David Walser 2015-06-19 13:52:33 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-01 17:35:40 CEST

Oden gave information on a security issue fixed in these releases:
https://bugzilla.redhat.com/show_bug.cgi?id=1217506
http://www.securityweek.com/mysql-ssltls-connections-risk-due-backronym-flaw

Also known as oCERT-2015-003 and BACKRONYM, apparently.

CC: (none) => oe
Summary: mariadb 5.5.44 and 10.0.20 => mariadb 5.5.44 and 10.0.20 (fixes CVE-2015-3152)

Comment 2 David Walser 2015-07-01 17:36:01 CEST

*** Bug 16265 has been marked as a duplicate of this bug. ***

Comment 3 David Walser 2015-07-06 20:24:35 CEST

Fedora has issued an advisory for this on June 27:
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html

URL: (none) => http://lwn.net/Vulnerabilities/650296/

Comment 4 David Walser 2015-07-08 00:18:40 CEST

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron by Maarten.

Please go ahead and assign to QA when it's ready.  Thanks!

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152
https://mariadb.com/kb/en/mariadb/mariadb-5544-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html

Updated packages in core/updates_testing:
========================
mariadb-5.5.44-1.mga4
mysql-MariaDB-5.5.44-1.mga4
mariadb-feedback-5.5.44-1.mga4
mariadb-extra-5.5.44-1.mga4
mariadb-obsolete-5.5.44-1.mga4
mariadb-core-5.5.44-1.mga4
mariadb-common-core-5.5.44-1.mga4
mariadb-common-5.5.44-1.mga4
mariadb-client-5.5.44-1.mga4
mariadb-bench-5.5.44-1.mga4
libmariadb18-5.5.44-1.mga4
libmariadb-devel-5.5.44-1.mga4
libmariadb-embedded18-5.5.44-1.mga4
mariadb-10.0.20-1.mga5
mysql-MariaDB-10.0.20-1.mga5
mariadb-cassandra-10.0.20-1.mga5
mariadb-feedback-10.0.20-1.mga5
mariadb-oqgraph-10.0.20-1.mga5
mariadb-connect-10.0.20-1.mga5
mariadb-sphinx-10.0.20-1.mga5
mariadb-mroonga-10.0.20-1.mga5
mariadb-sequence-10.0.20-1.mga5
mariadb-spider-10.0.20-1.mga5
mariadb-extra-10.0.20-1.mga5
mariadb-obsolete-10.0.20-1.mga5
mariadb-core-10.0.20-1.mga5
mariadb-common-core-10.0.20-1.mga5
mariadb-common-10.0.20-1.mga5
mariadb-client-10.0.20-1.mga5
mariadb-bench-10.0.20-1.mga5
libmariadb18-10.0.20-1.mga5
libmariadb-devel-10.0.20-1.mga5
libmariadb-embedded18-10.0.20-1.mga5
libmariadb-embedded-devel-10.0.20-1.mga5

from SRPMS:
mariadb-5.5.44-1.mga4.src.rpm
mariadb-10.0.20-1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 5 David Walser 2015-07-20 20:49:30 CEST

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Debian has issued advisories for this on July 18 and July 20:
https://www.debian.org/security/2015/dsa-3308
https://www.debian.org/security/2015/dsa-3311

LWN reference for additional CVEs fixed in 5.5.44:
http://lwn.net/Vulnerabilities/651764/

Assigning to QA since there was no response from Maarten.

Package list in Comment 4.

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

The mariadb package has been updated to versions 5.5.44 and 10.0.20 in Mageia
4 and Mageia 5, respectively.  Both fix an issue where the client is
vulnerable to a man-in-the-middle attack when using the --ssl option, where
the SSL/TLS protection could be disabled (CVE-2015-3152).

The Mageia 4 update also fixes other unspecified security issues, such as
CVE-2015-2582, CVE-2015-2620, CVE-2015-2643, CVE-2015-2648, CVE-2015-4737,
and CVE-2015-4752.  Refer to the Oracle Critical Patch Update for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2582
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2648
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4752
https://mariadb.com/kb/en/mariadb/mariadb-5544-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html

CC: (none) => alien
Assignee: alien => qa-bugs

David Walser 2015-07-20 20:50:18 CEST

Severity: normal => major

Samuel Verschelde 2015-07-22 17:48:49 CEST

Component: RPM Packages => Security

Dave Hodgins 2015-07-23 02:25:43 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory MGA4-64-OK

Comment 6 William Kenney 2015-07-23 20:30:13 CEST

In VirtualBox, M4, KDE, 32-bit

Create mariadb/mysql db PW: testmaria

Package(s) under test:
mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common
mariadb-common-core mariadb-core mariadb-extra 


default install of mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb-embedded18
Package libmariadb-embedded18-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb18
Package libmariadb18-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-5.5.43-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-5.5.43-1.mga4.i586 is already installed

http://localhost/mediawiki opens, sets up and is usable
http://localhost/phpmyadmin opens, sets up, I can create databases and is usable

install mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb-embedded18
Package libmariadb-embedded18-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb18
Package libmariadb18-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-5.5.44-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-5.5.44-1.mga4.i586 is already installed

http://localhost/mediawiki opens, sets up and is usable
http://localhost/phpmyadmin opens, sets up and is usable

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64

CC: (none) => wilcal.int

Comment 7 William Kenney 2015-07-23 22:46:00 CEST

In VirtualBox, M4, KDE, 64-bit

Create mariadb/mysql db PW: testmaria

Package(s) under test:
mariadb lib64mariadb-embedded18 li64mariadb18 mariadb-bench mariadb-client mariadb-common
mariadb-common-core mariadb-core mariadb-extra

default install of mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.43-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi li64mariadb-embedded18
No package named li64mariadb-embedded18
[root@localhost wilcal]# urpmi lib64mariadb18
Package lib64mariadb18-5.5.43-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-5.5.43-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-5.5.43-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-5.5.43-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-5.5.43-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-5.5.43-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-5.5.43-1.mga4.x86_64 is already installed

http://localhost/mediawiki opens, sets up and is usable
http://localhost/phpmyadmin opens, sets up, I can create databases and is usable

install mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64mariadb-embedded18
Package lib64mariadb-embedded18-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64mariadb18
Package lib64mariadb18-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-5.5.44-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-5.5.44-1.mga4.x86_64 is already installed

Stop and restart mysqld

http://localhost/mediawiki opens, re-sets up and is usable
http://localhost/phpmyadmin opens, is usable and I can create a db

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64

Comment 8 Herman Viaene 2015-07-24 11:37:12 CEST

MGA4-32 on Acer D620.
No installation issues.
Can stop, start mysql and use phpmyadmin as per Comment 7

CC: (none) => herman.viaene
Whiteboard: MGA4TOO advisory MGA4-64-OK => MGA4TOO advisory MGA4-64-OK MGA4-32-OK

Comment 9 William Kenney 2015-07-24 16:26:07 CEST

In VirtualBox, M5, KDE, 32-bit

Create mariadb/mysql db PW: testmaria

Package(s) under test:
mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common
mariadb-common-core mariadb-core mariadb-extra 

default install of mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb-embedded18
Package libmariadb-embedded18-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb18
Package libmariadb18-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-10.0.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-10.0.19-1.mga5.i586 is already installed

http://localhost/mediawiki opens, sets up and is usable
http://localhost/phpmyadmin opens, sets up, I can create databases and is usable

install mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra from updates_testing

stop and restart mysqld

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb-embedded18
Package libmariadb-embedded18-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libmariadb18
Package libmariadb18-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-10.0.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-10.0.20-1.mga5.i586 is already installed

http://localhost/mediawiki opens, sets up and is usable
http://localhost/phpmyadmin opens, sets up, I can create databases and is usable

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64

Comment 10 William Kenney 2015-07-24 16:51:34 CEST

In VirtualBox, M5, KDE, 64-bit

Create mariadb/mysql db PW: testmaria

Package(s) under test:
mariadb lib64mariadb-embedded18 lib64mariadb18 mariadb-bench mariadb-client mariadb-common
mariadb-common-core mariadb-core mariadb-extra

default install of mariadb lib64mariadb-embedded18 lib64mariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64mariadb-embedded18
Package lib64mariadb-embedded18-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64mariadb18
Package lib64mariadb18-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-10.0.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-10.0.19-1.mga5.x86_64 is already installed

http://localhost/mediawiki opens, sets up and is usable
http://localhost/phpmyadmin opens, sets up, I can create databases and is usable

install mariadb lib64mariadb-embedded18 lib64mariadb18 mariadb-bench mariadb-client
mariadb-common mariadb-common-core mariadb-core mariadb-extra from updates_testing

stop and restart mysqld

[[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64mariadb-embedded18
Package lib64mariadb-embedded18-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64mariadb18
Package lib64mariadb18-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-bench
Package mariadb-bench-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-client
Package mariadb-client-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common
Package mariadb-common-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-common-core
Package mariadb-common-core-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-core
Package mariadb-core-10.0.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb-extra
Package mariadb-extra-10.0.20-1.mga5.x86_64 is already installed

http://localhost/mediawiki opens, sets up and is usable
http://localhost/phpmyadmin opens, sets up, I can create databases and is usable

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64

Comment 11 Shlomi Fish 2015-07-25 22:02:19 CEST

Adding MGA5-32-OK MGA5-64-OK per the previous comments.

CC: (none) => shlomif
Whiteboard: MGA4TOO advisory MGA4-64-OK MGA4-32-OK => MGA4TOO advisory MGA4-64-OK MGA4-32-OK MGA5-32-OK MGA5-64-OK

Comment 12 Samuel Verschelde 2015-07-27 10:54:43 CEST

Validating.

Is adding sysadmins in CC still needed / advised?

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Rémi Verschelde 2015-07-27 11:45:44 CEST

> Is adding sysadmins in CC still needed / advised?

Not that I know of, the advisory whiteboard marker and validated_update keyword should be enough (unless we really want to make sure that the sysadmins get an email notification about an important update waiting for a push).

Comment 14 Mageia Robot 2015-07-27 11:53:47 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0279.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED