Ubuntu has issued an advisory today (April 23): http://www.ubuntu.com/usn/usn-2170-1/ The CVEs are also covered in the latest Oracle Critical Patch Update, along with Java: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html I'm assuming that some or all of these issues are also fixed in MariaDB 5.5.37: https://blog.mariadb.org/mariadb-5-5-37-now-available/ Looks like they're mostly minor issues except for CVE-2014-2436 and CVE-2014-2440 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
in progress...
CC: (none) => tmb
Seems oden built 5.5.37 for mga3 on April 18th so rpms to test: mga3: SRPM: mariadb-5.5.37-1.mga3.src.rpm i586: libmariadb18-5.5.37-1.mga3.i586.rpm libmariadb-devel-5.5.37-1.mga3.i586.rpm libmariadb-embedded18-5.5.37-1.mga3.i586.rpm libmariadb-embedded-devel-5.5.37-1.mga3.i586.rpm mariadb-5.5.37-1.mga3.i586.rpm mariadb-bench-5.5.37-1.mga3.i586.rpm mariadb-client-5.5.37-1.mga3.i586.rpm mariadb-common-5.5.37-1.mga3.i586.rpm mariadb-common-core-5.5.37-1.mga3.i586.rpm mariadb-core-5.5.37-1.mga3.i586.rpm mariadb-extra-5.5.37-1.mga3.i586.rpm mariadb-feedback-5.5.37-1.mga3.i586.rpm mariadb-obsolete-5.5.37-1.mga3.i586.rpm mysql-MariaDB-5.5.37-1.mga3.i586.rpm x86_64: lib64mariadb18-5.5.37-1.mga3.x86_64.rpm lib64mariadb-devel-5.5.37-1.mga3.x86_64.rpm lib64mariadb-embedded18-5.5.37-1.mga3.x86_64.rpm lib64mariadb-embedded-devel-5.5.37-1.mga3.x86_64.rpm mariadb-5.5.37-1.mga3.x86_64.rpm mariadb-bench-5.5.37-1.mga3.x86_64.rpm mariadb-client-5.5.37-1.mga3.x86_64.rpm mariadb-common-5.5.37-1.mga3.x86_64.rpm mariadb-common-core-5.5.37-1.mga3.x86_64.rpm mariadb-core-5.5.37-1.mga3.x86_64.rpm mariadb-extra-5.5.37-1.mga3.x86_64.rpm mariadb-feedback-5.5.37-1.mga3.x86_64.rpm mariadb-obsolete-5.5.37-1.mga3.x86_64.rpm mysql-MariaDB-5.5.37-1.mga3.x86_64.rpm mga4: SRPM: mariadb-5.5.37-1.mga4.src.rpm i586: libmariadb18-5.5.37-1.mga4.i586.rpm libmariadb-devel-5.5.37-1.mga4.i586.rpm libmariadb-embedded18-5.5.37-1.mga4.i586.rpm libmariadb-embedded-devel-5.5.37-1.mga4.i586.rpm mariadb-5.5.37-1.mga4.i586.rpm mariadb-bench-5.5.37-1.mga4.i586.rpm mariadb-client-5.5.37-1.mga4.i586.rpm mariadb-common-5.5.37-1.mga4.i586.rpm mariadb-common-core-5.5.37-1.mga4.i586.rpm mariadb-core-5.5.37-1.mga4.i586.rpm mariadb-extra-5.5.37-1.mga4.i586.rpm mariadb-feedback-5.5.37-1.mga4.i586.rpm mariadb-obsolete-5.5.37-1.mga4.i586.rpm mysql-MariaDB-5.5.37-1.mga4.i586.rpm x86_64: lib64mariadb18-5.5.37-1.mga4.x86_64.rpm lib64mariadb-devel-5.5.37-1.mga4.x86_64.rpm lib64mariadb-embedded18-5.5.37-1.mga4.x86_64.rpm lib64mariadb-embedded-devel-5.5.37-1.mga4.x86_64.rpm mariadb-5.5.37-1.mga4.x86_64.rpm mariadb-bench-5.5.37-1.mga4.x86_64.rpm mariadb-client-5.5.37-1.mga4.x86_64.rpm mariadb-common-5.5.37-1.mga4.x86_64.rpm mariadb-common-core-5.5.37-1.mga4.x86_64.rpm mariadb-core-5.5.37-1.mga4.x86_64.rpm mariadb-extra-5.5.37-1.mga4.x86_64.rpm mariadb-feedback-5.5.37-1.mga4.x86_64.rpm mariadb-obsolete-5.5.37-1.mga4.x86_64.rpm mysql-MariaDB-5.5.37-1.mga4.x86_64.rpm
Assignee: alien => qa-bugs
Thanks Thomas! Advisory: ======================== Updated mariadb packages fix security vulnerabilities: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML (CVE-2014-0384). Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition (CVE-2014-2419). Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema (CVE-2014-2430). Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options (CVE-2014-2431). Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated (CVE-2014-2432). Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR (CVE-2014-2436). Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication (CVE-2014-2438). Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors (CVE-2014-2440). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2431 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2440 https://mariadb.com/kb/en/mariadb-5537-changelog/ http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:102/
Testing MGA4 64-bit real h/w. Updated from Updates Testing:- mariadb-5.5.37-1.mga4 mariadb-client-5.5.37-1.mga4 mariadb-extra-5.5.37-1.mga4 mariadb-core-5.5.37-1.mga4 mariadb-common-5.5.37-1.mga4 lib64mariadb-embedded18-5.5.37-1.mga4 mariadb-common-core-5.5.37-1.mga4 Played with Moodle & PHPmyadmin, these simple things revealed nothing nasty. (Alas have lost details for egroupware to try that as well, but never got it set up initially). Am OK-ing this update.
CC: (none) => lewyssmithWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Running fine on our MediaWiki and Moodle servers here at work (Mageia 4 i586).
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK
In VirtualBox, M3, KDE, 32-bit Package(s) under test: mariadb phpmyadmin Setup mariadb In root terminal: systemctl start mysqld.service Set password to: testmaria [root@localhost wilcal]# mysqladmin -u root password type password "testmaria" twice default install of mariadb [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.36-1.mga3.x86_64 is already installed localhost/phpmyadmin works install package from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.37-1.mga3.i586 is already installed localhost/phpmyadmin works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA4-64-OK MGA4-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: mariadb phpmyadmin Setup mariadb In root terminal: systemctl start mysqld.service Set password to: testmaria [root@localhost wilcal]# mysqladmin -u root password type password "testmaria" twice default install of mariadb [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.36-1.mga3.i586 is already installed localhost/phpmyadmin works install package from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.37-1.mga3.x86_64 is already installed localhost/phpmyadmin works Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit If everyone is happy lets Validate this update.
Validating update, advisory has been uploaded. Please push mariadb to 3 & 4 core/updates. Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0239.html
Status: NEW => RESOLVEDResolution: (none) => FIXED