Bug 19274

Summary: mariadb 10.0.27
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/700651/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: mariadb-10.0.26-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-08-31 02:05:06 CEST 
MariaDB 10.0.27 has been released on August 25:
https://mariadb.com/kb/en/mariadb-10027-release-notes/

Updated package uploaded for Mageia 5.

Advisory:
----------------------------------------

This is a maintenance and bugfix release that upgrades MariaDB to
the latest 10.0.27 version which resolves various upstream bugs.

References:
https://mariadb.com/kb/en/mariadb-10027-release-notes/
https://mariadb.com/kb/en/mariadb-10027-changelog/
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
mariadb-10.0.27-1.mga5
mysql-MariaDB-10.0.27-1.mga5
mariadb-cassandra-10.0.27-1.mga5
mariadb-feedback-10.0.27-1.mga5
mariadb-oqgraph-10.0.27-1.mga5
mariadb-connect-10.0.27-1.mga5
mariadb-sphinx-10.0.27-1.mga5
mariadb-mroonga-10.0.27-1.mga5
mariadb-sequence-10.0.27-1.mga5
mariadb-spider-10.0.27-1.mga5
mariadb-extra-10.0.27-1.mga5
mariadb-obsolete-10.0.27-1.mga5
mariadb-core-10.0.27-1.mga5
mariadb-common-core-10.0.27-1.mga5
mariadb-common-10.0.27-1.mga5
mariadb-client-10.0.27-1.mga5
mariadb-bench-10.0.27-1.mga5
libmariadb18-10.0.27-1.mga5
libmariadb-devel-10.0.27-1.mga5
libmariadb-embedded18-10.0.27-1.mga5
libmariadb-embedded-devel-10.0.27-1.mga5

from mariadb-10.0.27-1.mga5.src.rpm
Comment 1 Dave Hodgins 2016-09-12 00:22:47 CEST 
Tested on Mageia 5 i586 and x86_64 (basic testing only).

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 David Walser 2016-09-12 17:01:05 CEST 
A security issue fixed in this update was disclosed today:
http://openwall.com/lists/oss-security/2016/09/12/4

Please update the advisory in SVN.

Advisory:
========================

Updated mariadb packages fix security vulnerability:

MariaDB before 10.0.27 allowed a malicious user to create a my.cnf in the
datadir and, under certain circumstances, execute arbitrary code as mysql (or
even root) user (CVE-2016-6662).

The mariadb package has been updated to version 10.0.27. It fixes this issue
and other bugs.  See the upstream release notes for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
https://mariadb.com/kb/en/mariadb-10027-release-notes/
https://mariadb.com/kb/en/mariadb-10027-changelog/

Component: RPM Packages => Security
QA Contact: (none) => security
Whiteboard: MGA5-64-OK MGA5-32-OK advisory => MGA5-64-OK MGA5-32-OK

Dave Hodgins 2016-09-13 01:35:36 CEST

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

David Walser 2016-09-14 18:57:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/700651/

Comment 3 Mageia Robot 2016-09-21 22:39:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGAA-2016-0113.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 David Walser 2016-11-09 17:21:08 CET 
CVE-2016-5630 and CVE-2016-5612 also fixed in this update.

LWN reference for CVE-2016-5630:
http://lwn.net/Vulnerabilities/706021/

CVE-2016-5612 is on this one with other issues mostly fixed in 10.0.28:
http://lwn.net/Vulnerabilities/705211/