Bug 21557

Summary: mariadb 10.0.32
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: mariadb-10.0.31-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-08-17 23:33:07 CEST 
MariaDB has released version 10.0.32 on August 7:
https://mariadb.com/kb/en/mariadb/mariadb-10032-release-notes/

It fixes:
CVE-2017-3636
CVE-2017-3641
CVE-2017-3653

Updated package uploaded for Mageia 5.  Note that CVE-2017-3265 is also fixed in a downstream script (thanks to tmb).

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

Difficult to exploit vulnerability in MariaDB Server allows high privileged
attacker with logon to the infrastructure where MariaDB Server executes to
compromise MariaDB Server. Successful attacks require human interaction from
a person other than the attacker. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access to all
MariaDB Server accessible data and unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MariaDB Server (CVE-2017-3265).

Easily exploitable vulnerability in MariaDB Server allows low privileged
attacker with logon to the infrastructure where MariaDB Server executes to
compromise MariaDB Server. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of MariaDB
Server accessible data as well as unauthorized read access to a subset of
MariaDB Server accessible data and unauthorized ability to cause a partial
denial of service (partial DOS) of MariaDB Server (CVE-2017-3636).

Easily exploitable vulnerability in MariaDB Server allows high privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MariaDB Server (CVE-2017-3641).

Difficult to exploit vulnerability in MariaDB Server allows low privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of MariaDB Server accessible data
(CVE-2017-3653).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3636
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653
https://mariadb.com/kb/en/mariadb/mariadb-10032-release-notes/
https://mariadb.com/kb/en/mariadb-10032-changelog/
========================

Updated packages in core/updates_testing:
========================
mariadb-10.0.32-1.mga5
mysql-MariaDB-10.0.32-1.mga5
mariadb-cassandra-10.0.32-1.mga5
mariadb-feedback-10.0.32-1.mga5
mariadb-oqgraph-10.0.32-1.mga5
mariadb-connect-10.0.32-1.mga5
mariadb-sphinx-10.0.32-1.mga5
mariadb-mroonga-10.0.32-1.mga5
mariadb-sequence-10.0.32-1.mga5
mariadb-spider-10.0.32-1.mga5
mariadb-extra-10.0.32-1.mga5
mariadb-obsolete-10.0.32-1.mga5
mariadb-core-10.0.32-1.mga5
mariadb-common-core-10.0.32-1.mga5
mariadb-common-10.0.32-1.mga5
mariadb-client-10.0.32-1.mga5
mariadb-bench-10.0.32-1.mga5
libmariadb18-10.0.32-1.mga5
libmariadb-devel-10.0.32-1.mga5
libmariadb-embedded18-10.0.32-1.mga5
libmariadb-embedded-devel-10.0.32-1.mga5

from mariadb-10.0.32-1.mga5.src.rpm
Comment 1 David Walser 2017-08-17 23:33:46 CEST 
Debian has issued an advisory for this today (August 17):
https://www.debian.org/security/2017/dsa-3944
Comment 2 Herman Viaene 2017-08-18 16:22:51 CEST 
MGA5-32 on Asus A6000VM Xfce
Had to remove libdb develop package to be able to install maria, no further issues.
Before installing: stopped current mysqld, removed /var/lib/mysql
After installation at CLI:
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: <XXXXX>
Re-enter new password: <XXXXX>
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] n
 ... skipping.

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Then used phpmyadmin to create a new table in the test database and dropped it again.
All seems OK

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 3 PC LX 2017-08-19 21:22:06 CEST 
Installed and tested without issue.

Don't have libdb installed.

The tests consisted of using several scripts (e.g. wordpress), MySQL Workbench and a custom somewhat large SQL script to create a database with several tables, import data, calculate some statistics, and then delete the database.

System: Mageia 5, x86_64, Intel CPU.

# rpm -qa | grep mariadb | sort
lib64mariadb18-10.0.32-1.mga5
lib64mariadb-embedded18-10.0.32-1.mga5
mariadb-10.0.32-1.mga5
mariadb-bench-10.0.32-1.mga5
mariadb-client-10.0.32-1.mga5
mariadb-common-10.0.32-1.mga5
mariadb-common-core-10.0.32-1.mga5
mariadb-core-10.0.32-1.mga5
mariadb-extra-10.0.32-1.mga5
mariadb-feedback-10.0.32-1.mga5

CC: (none) => mageia
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 4 Lewis Smith 2017-08-20 10:26:53 CEST 
Advisory from Comment 0. Validating at the same time, 2 OKs.

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-08-20 10:49:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0289.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED