| Summary: | mariadb new security issues (fixed in 10.1.41 and 10.3.17) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, mageia, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6TOO MGA7-64-OK MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | mariadb | CVE: | |
| Status comment: | |||
|
Description
Marc Krämer
2019-08-01 11:58:48 CEST
Marc Krämer
2019-08-01 11:59:41 CEST
Whiteboard:
(none) =>
MGA6TOO
Marc Krämer
2019-08-01 12:00:16 CEST
Summary:
new security issues in MariaDB =>
MariaDB new security issues MGA6: Suggested advisory: ======================== Updated mariadb packages fix security vulnerabilities: Some easily exploitable security issues were discovered and fixed in the latest release from this branch. This release contains some bugfixes for - FULLTEXT INDEX - Encrypted temporary tables - Indexed virtual columns - Recovery & Mariabackup References: https://mariadb.com/kb/en/library/mariadb-10317-release-notes/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2739 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2737 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2758 Updated packages in core/updates_testing: ======================== mariadb-10.1.41-1.mga6 mysql-MariaDB-10.1.41-1.mga6 mariadb-cassandra-10.1.41-1.mga6 mariadb-feedback-10.1.41-1.mga6 mariadb-connect-10.1.41-1.mga6 mariadb-sphinx-10.1.41-1.mga6 mariadb-mroonga-10.1.41-1.mga6 mariadb-sequence-10.1.41-1.mga6 mariadb-spider-10.1.41-1.mga6 mariadb-extra-10.1.41-1.mga6 mariadb-obsolete-10.1.41-1.mga6 mariadb-core-10.1.41-1.mga6 mariadb-common-core-10.1.41-1.mga6 mariadb-common-10.1.41-1.mga6 mariadb-client-10.1.41-1.mga6 mariadb-bench-10.1.41-1.mga6 libmariadb18-10.1.41-1.mga6 libmariadb-devel-10.1.41-1.mga6 libmariadb-embedded18-10.1.41-1.mga6 libmariadb-embedded-devel-10.1.41-1.mga6 mariadb-debuginfo-10.1.41-1.mga6 Source RPMs: mariadb-10.1.41-1.mga6.src.rpm MGA7: Suggested advisory: ======================== Updated mariadb packages fix security vulnerabilities: Some easily exploitable security issues were discovered and fixed in the latest release from this branch. This release contains some bugfixes for - FULLTEXT INDEX - Encrypted temporary tables - Indexed virtual columns - Recovery & Mariabackup References: https://mariadb.com/kb/en/library/mariadb-10317-release-notes/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2739 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2737 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2758 Updated packages in core/updates_testing: ======================== mariadb-10.3.17-1.mga7 mysql-MariaDB-10.3.17-1.mga7 mariadb-feedback-10.3.17-1.mga7 mariadb-connect-10.3.17-1.mga7 mariadb-sphinx-10.3.17-1.mga7 mariadb-mroonga-10.3.17-1.mga7 mariadb-sequence-10.3.17-1.mga7 mariadb-spider-10.3.17-1.mga7 mariadb-extra-10.3.17-1.mga7 mariadb-obsolete-10.3.17-1.mga7 mariadb-core-10.3.17-1.mga7 mariadb-common-core-10.3.17-1.mga7 mariadb-common-10.3.17-1.mga7 mariadb-client-10.3.17-1.mga7 mariadb-bench-10.3.17-1.mga7 libmariadb3-10.3.17-1.mga7 libmariadb-devel-10.3.17-1.mga7 libmariadbd19-10.3.17-1.mga7 libmariadb-embedded-devel-10.3.17-1.mga7 mariadb-debugsource-10.3.17-1.mga7 mariadb-debuginfo-10.3.17-1.mga7 mariadb-feedback-debuginfo-10.3.17-1.mga7 mariadb-connect-debuginfo-10.3.17-1.mga7 mariadb-sphinx-debuginfo-10.3.17-1.mga7 mariadb-mroonga-debuginfo-10.3.17-1.mga7 mariadb-sequence-debuginfo-10.3.17-1.mga7 mariadb-spider-debuginfo-10.3.17-1.mga7 mariadb-extra-debuginfo-10.3.17-1.mga7 mariadb-obsolete-debuginfo-10.3.17-1.mga7 mariadb-core-debuginfo-10.3.17-1.mga7 mariadb-common-debuginfo-10.3.17-1.mga7 mariadb-client-debuginfo-10.3.17-1.mga7 mariadb-bench-debuginfo-10.3.17-1.mga7 libmariadb3-debuginfo-10.3.17-1.mga7 libmariadbd19-debuginfo-10.3.17-1.mga7 libmariadb-embedded-devel-debuginfo-10.3.17-1.mga7 Source RPMs: mariadb-10.3.17-1.mga7.src.rpm Assignee:
mageia =>
qa-bugs Installed and tested without issues.
Tested using:
- php scripts using PDO/mysql;
- myphpadmin;
- Qt5 applications using the mysql plugin.
- MySQL Workbench;
- mysql CLI;
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.1.18-desktop-1.mga7 #1 SMP Sun Jul 14 10:08:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$
$
$ rpm -qa | grep -iE 'mariadb|mysql' | sort
lib64mariadb3-10.3.17-1.mga7
lib64mysqlcppconn7-1.1.9-2.1.mga7
lib64qt5-database-plugin-mysql-5.12.2-2.mga7
mariadb-10.3.17-1.mga7
mariadb-client-10.3.17-1.mga7
mariadb-common-10.3.17-1.mga7
mariadb-common-core-10.3.17-1.mga7
mariadb-core-10.3.17-1.mga7
mariadb-extra-10.3.17-1.mga7
mysql-workbench-6.3.10-6.mga7
perl-DBD-mysql-4.50.0-1.mga7
php-mysqli-7.3.8-1.mga7
php-mysqlnd-7.3.8-1.mga7
php-pdo_mysql-7.3.8-1.mga7
$
$
$ systemctl status mysqld
● mysqld.service - MySQL database server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2019-08-02 14:45:59 WEST; 2s ago
Process: 14468 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
Main PID: 14483 (mysqld)
Status: "Taking your SQL requests now..."
Memory: 54.1M
CGroup: /system.slice/mysqld.service
└─14483 /usr/sbin/mysqld
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: 10.3.17 started; log sequence number 292399285; transaction id 893247
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
ago 02 14:45:59 marte mysqld[14483]: 190802 14:45:59 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED.
ago 02 14:45:59 marte mysqld[14483]: 190802 14:45:59 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2019-08-02 14:45:59 0 [Note] Reading of all Master_info entries s>
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] Added new Master_info '' to hash table
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] /usr/sbin/mysqld: ready for connections.
ago 02 14:45:59 marte mysqld[14483]: Version: '10.3.17-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 0 Mageia MariaDB Server
ago 02 14:45:59 marte systemd[1]: Started MySQL database server.
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: Buffer pool(s) load completed at 190802 14:45:59CC:
(none) =>
mageia Have been using this update without issues for several days now. I'm putting and OK for x86_64 on this. Feel free to remove it if you think an OK is premature. Whiteboard:
MGA6TOO =>
MGA6TOO MGA6-64-OK
PC LX
2019-08-07 01:02:18 CEST
Whiteboard:
MGA6TOO MGA6-64-OK =>
MGA6TOO MGA7-64-OK We need an MGA6 OK before this ca be validated. CC:
(none) =>
andrewsfarm
Thomas Backlund
2019-08-10 16:52:15 CEST
QA Contact:
(none) =>
security
David Walser
2019-08-10 18:16:53 CEST
Summary:
MariaDB new security issues =>
mariadb new security issues (fixed in 10.1.41 and 10.3.17) MGA6 - 64bit - Xfce - Mariadb 10.1.41 $ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - glibc-devel-2.22-29.mga6.x86_64 - kernel-userspace-headers-4.14.137-1.mga6.x86_64 - lib64aio-devel-0.3.110-4.mga6.x86_64 - lib64aio1-0.3.110-4.mga6.x86_64 - lib64bzip2-devel-1.0.6-10.mga6.x86_64 - lib64jemalloc2-4.5.0-4.mga6.x86_64 - lib64lz4-devel-1.7.5-1.mga6.x86_64 - lib64lz4_1-1.7.5-1.mga6.x86_64 - lib64lzma-devel-5.2.3-1.mga6.x86_64 - lib64lzo-devel-2.09-4.mga6.x86_64 - lib64mariadb-devel-10.1.41-1.mga6.x86_64 - lib64mariadb-embedded-devel-10.1.41-1.mga6.x86_64 - lib64mariadb-embedded18-10.1.41-1.mga6.x86_64 - lib64mariadb18-10.1.41-1.mga6.x86_64 - lib64minilzo0-2.09-4.mga6.x86_64 - lib64openssl-devel-1.0.2r-1.mga6.x86_64 - lib64pcre-devel-8.41-1.mga6.x86_64 - lib64pcre32_0-8.41-1.mga6.x86_64 - lib64pcreposix1-8.41-1.mga6.x86_64 - lib64pq5-9.6.15-1.mga6.x86_64 - lib64zlib-devel-1.2.11-4.1.mga6.x86_64 - libstdc++-devel-5.5.0-2.mga6.x86_64 - libstdc++6-5.5.0-2.mga6.x86_64 - mariadb-10.1.41-1.mga6.x86_64 - mariadb-client-10.1.41-1.mga6.x86_64 - mariadb-common-10.1.41-1.mga6.x86_64 - mariadb-common-core-10.1.41-1.mga6.x86_64 - mariadb-core-10.1.41-1.mga6.x86_64 - mariadb-extra-10.1.41-1.mga6.x86_64 - mariadb-feedback-10.1.41-1.mga6.x86_64 - mariadb-mroonga-10.1.41-1.mga6.x86_64 - mariadb-obsolete-10.1.41-1.mga6.x86_64 - mariadb-sequence-10.1.41-1.mga6.x86_64 - mariadb-sphinx-10.1.41-1.mga6.x86_64 - mariadb-spider-10.1.41-1.mga6.x86_64 - perl-DBI-1.636.0-2.mga6.x86_64 - sphinx-2.2.11-1.mga6.x86_64 Installed nextcloud to use mariadb. Working as designed. CC:
(none) =>
brtians1 MGA6 32bit - Mate $ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux - libaio1-0.3.110-4.mga6.i586 - libjemalloc2-4.5.0-4.mga6.i586 - liblz4_1-1.7.5-1.mga6.i586 - libmariadb18-10.1.41-1.mga6.i586 - libpcreposix1-8.41-1.mga6.i586 - mariadb-10.1.41-1.mga6.i586 - mariadb-client-10.1.41-1.mga6.i586 - mariadb-common-10.1.41-1.mga6.i586 - mariadb-common-core-10.1.41-1.mga6.i586 - mariadb-core-10.1.41-1.mga6.i586 - mariadb-extra-10.1.41-1.mga6.i586 - perl-DBI-1.636.0-2.mga6.i586 Repeated nextcloud test - it worked. Whiteboard:
MGA6TOO MGA7-64-OK =>
MGA6TOO MGA7-64-OK MGA6-64-OK MGA6-32-OK Thank you, Brian. Validating to send it on its way... Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0224.html Resolution:
(none) =>
FIXED |