Bug 19693

Summary: mariadb 10.0.28
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/705211/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: mariadb-10.0.27-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-11-01 19:40:53 CET 
MariaDB has released version 10.0.28 on October 28:
https://mariadb.org/mariadb-10-0-28-now-available/

It fixes several security issues, according to the release notes:
https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/

RedHat has issued an advisory for this on October 31:
https://rhn.redhat.com/errata/RHSA-2016-2131.html

Some of these issues are also in the latest Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

10.0.28 is building for Mageia 5 right now, advisory to come later.
Comment 1 William Kenney 2016-11-03 21:51:42 CET 
https://bugs.mageia.org/show_bug.cgi?id=16551

is a good tutorial on how to test this.

CC: (none) => wilcal.int

Comment 2 Herman Viaene 2016-11-04 14:07:40 CET 
MGA5-32 on Acer D620 Xfce
No  installatioon issues
Did some tests as per Comment 1:
With phpmyadmin, created a table and filled in some values
Got into mediawiki and set a new one up.
Note for later readers, phphmyadmin and mediawiki are not part of the install, you need to install the packages separately.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 3 Lewis Smith 2016-11-04 22:21:07 CET 
Testing M5-64 real hardware
MariaDB updated to:
 lib64mariadb18-10.0.28-1.mga5
 lib64mariadb-devel-10.0.28-1.mga5
 lib64mariadb-embedded18-10.0.28-1.mga5
 mariadb-10.0.28-1.mga5
 mariadb-client-10.0.28-1.mga5
 mariadb-common-10.0.28-1.mga5
 mariadb-common-core-10.0.28-1.mga5
 mariadb-core-10.0.28-1.mga5
 mariadb-extra-10.0.28-1.mga5
 mariadb-feedback-10.0.28-1.mga5

(In reply to William Kenney from comment #1)
> https://bugs.mageia.org/show_bug.cgi?id=16551
> is a good tutorial on how to test this.
As far as I could see, this boiled down to: play with MediaWiki and PHPmyadmin.
One could equally use Drupal, Moodle, Wordpress if those are installed to use MariaDB; or any more obscure application like Cacti, Bacula. Certainly PHPmyadmin is the most ubiquitous.

I played with Cacti, which I cannot make show what I want, but its (mis)behaviour was consistent before & after the MariaDB update. Added & deleted graphs, changed display timespan.
Played more with PHPmysql: created a table with columns, put data into them, altered the column names, deleted one. Looked at other real DBs. Things happened as expected.

OK, but am witholding validation until an Advisory is available (to avoid this from then being UNvalidated & moved back out of the 'validated' list, awaiting advisory).

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 4 Lewis Smith 2016-11-07 09:53:08 CET 
Am validating this to get it off the main list of updates to test.
Sysadmins please be patient until the Advisory is available; this is (or was) quite normal. Quote:
"Below is a list of validated updates waiting to be pushed to the updates media. Those without a star* need an advisory to be uploaded, first."

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 David Walser 2016-11-07 18:25:36 CET 
Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

A race condition was found in the way MariaDB performed MyISAM engine
table repair. A database user with shell access to the server running
mysqld could use this flaw to change permissions of arbitrary files
writable by the mysql system user (CVE-2016-6663).

This update fixes several vulnerabilities in the MariaDB database server.
Information about these flaws can be found on the Oracle Critical Patch
Update Advisory page, listed in the References section (CVE-2016-3492,
CVE-2016-5584, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629,
CVE-2016-7440, CVE-2016-8283).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5584
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8283
https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://rhn.redhat.com/errata/RHSA-2016-2595.html
Comment 6 Lewis Smith 2016-11-09 22:31:34 CET 
Advisory uploaded.

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2016-11-09 22:43:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0371.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED