Bug 20487

Summary: mariadb 10.0.30
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK
Source RPM: mariadb-10.0.29-1.3.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 20275    

Description David Walser 2017-03-15 01:58:53 CET 
MariaDB has released version 10.0.30 on March 8:
https://mariadb.com/kb/en/mariadb/mariadb-10030-release-notes/

It fixes at least two security issues.

Update checked into Mageia 5 SVN.
David Walser 2017-03-15 01:59:13 CET

Blocks: (none) => 20275

Marja Van Waes 2017-03-15 12:28:07 CET

CC: (none) => marja11
Assignee: bugsquad => alien

Comment 1 David Walser 2017-03-16 11:13:18 CET 
Updated package uploaded for Mageia 5.  Note that Bug 20275 is also fixed.

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

Crash in libmysqlclient.so in MariaDB 10.0.x through 10.0.29 (CVE-2017-3302).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent: Server:
MyISAM). Difficult to exploit vulnerability allows low privileged attacker with
logon to the infrastructure where MariaDB Server executes to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all MariaDB Server accessible data
(CVE-2017-3313).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3313
https://mariadb.com/kb/en/mariadb/mariadb-10030-release-notes/
========================

Updated packages in core/updates_testing:
========================
mariadb-10.0.30-1.mga5
mysql-MariaDB-10.0.30-1.mga5
mariadb-cassandra-10.0.30-1.mga5
mariadb-feedback-10.0.30-1.mga5
mariadb-oqgraph-10.0.30-1.mga5
mariadb-connect-10.0.30-1.mga5
mariadb-sphinx-10.0.30-1.mga5
mariadb-mroonga-10.0.30-1.mga5
mariadb-sequence-10.0.30-1.mga5
mariadb-spider-10.0.30-1.mga5
mariadb-extra-10.0.30-1.mga5
mariadb-obsolete-10.0.30-1.mga5
mariadb-core-10.0.30-1.mga5
mariadb-common-core-10.0.30-1.mga5
mariadb-common-10.0.30-1.mga5
mariadb-client-10.0.30-1.mga5
mariadb-bench-10.0.30-1.mga5
libmariadb18-10.0.30-1.mga5
libmariadb-devel-10.0.30-1.mga5
libmariadb-embedded18-10.0.30-1.mga5
libmariadb-embedded-devel-10.0.30-1.mga5

from mariadb-10.0.30-1.mga5.src.rpm

Assignee: alien => qa-bugs

Comment 2 David Walser 2017-03-16 14:27:45 CET 
Debian has issued an advisory for this on March 14:
https://www.debian.org/security/2017/dsa-3809
Comment 3 Dave Hodgins 2017-03-17 02:05:42 CET 
# cd /usr/share/mysql/sql-bench/
# perl run-all-tests --server=mysql --user=root --password=munged --small-test

Test completed ok in 491 seconds on my x86_64 Mageia 5 install.

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory MGA5-64-OK

Comment 4 Dave Hodgins 2017-03-31 06:43:46 CEST 
Validating the update

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-03-31 08:15:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0096.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED