Bug 13757 - mariadb new security issues fixed in 5.5.38
Summary: mariadb new security issues fixed in 5.5.38
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/605812/
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-07-17 18:48 CEST by David Walser
Modified: 2015-02-04 20:07 CET (History)
6 users (show)

See Also:
Source RPM: mariadb-5.5.37-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-07-17 18:48:44 CEST 
Ubuntu has issued an advisory today (July 17):
http://www.ubuntu.com/usn/usn-2291-1/

The CVEs are also covered in the latest Oracle Critical Patch Update, along with Java:
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

I'm assuming that some or all of these issues are also fixed in MariaDB 5.5.38:
https://blog.mariadb.org/mariadb-5-5-38-now-available/

Mageia 3 is also affected.

Oden has actually already built this in updates_testing on June 12.

Mandriva issued an advisory (no mention of security issues) on June 12:
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVA-2014:007/

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-07-17 18:52:16 CEST 
I guess we'll do a really generic advisory for now.  It'd be nice if we can get some confirmation that those CVEs are relevant for this update.  If so, we can include them.

Advisory:
----------------------------------------

This update provides MariaDB 5.5.38, which fixes several bugs and potentially
security issues.

References:
https://mariadb.com/kb/en/mariadb-5538-changelog/
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVA-2014:007/
----------------------------------------
Updated packages in core/updates_testing:
----------------------------------------
libmariadb-devel-5.5.38-1.mga3
libmariadb-embedded-devel-5.5.38-1.mga3
libmariadb-embedded18-5.5.38-1.mga3
libmariadb18-5.5.38-1.mga3
mariadb-5.5.38-1.mga3
mariadb-bench-5.5.38-1.mga3
mariadb-client-5.5.38-1.mga3
mariadb-common-5.5.38-1.mga3
mariadb-common-core-5.5.38-1.mga3
mariadb-core-5.5.38-1.mga3
mariadb-extra-5.5.38-1.mga3
mariadb-feedback-5.5.38-1.mga3
mariadb-obsolete-5.5.38-1.mga3
mysql-MariaDB-5.5.38-1.mga3
libmariadb-devel-5.5.38-1.mga4
libmariadb-embedded-devel-5.5.38-1.mga4
libmariadb-embedded18-5.5.38-1.mga4
libmariadb18-5.5.38-1.mga4
mariadb-5.5.38-1.mga4
mariadb-bench-5.5.38-1.mga4
mariadb-client-5.5.38-1.mga4
mariadb-common-5.5.38-1.mga4
mariadb-common-core-5.5.38-1.mga4
mariadb-core-5.5.38-1.mga4
mariadb-extra-5.5.38-1.mga4
mariadb-feedback-5.5.38-1.mga4
mariadb-obsolete-5.5.38-1.mga4
mysql-MariaDB-5.5.38-1.mga4

from SRPMS:
mariadb-5.5.38-1.mga3.src.rpm
mariadb-5.5.38-1.mga4.src.rpm

CC: (none) => alien, oe
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA3TOO

Comment 2 AL13N 2014-07-17 22:53:41 CEST 
it seems the primary security person from mariadb is on leave atm, but since the changelog lists a mysql-5.5.38 merge, i'm assuming yes.
Comment 3 David Walser 2014-07-17 23:04:43 CEST 
Thanks AL13N!

Updated advisory.

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

This update provides MariaDB 5.5.38, which fixes several security issues and
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4258
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4260
https://mariadb.com/kb/en/mariadb-5538-changelog/
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.ubuntu.com/usn/usn-2291-1/
Comment 4 claire robinson 2014-07-18 16:50:09 CEST 
Testing complete mga4 64 using wordpress and phpmyadmin with the updates installed

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 5 claire robinson 2014-07-18 16:59:39 CEST 
Testing complete mga4 32 with phpmyadmin & owncloud configured with mysql DB
claire robinson 2014-07-18 16:59:50 CEST

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 6 David Remy 2014-07-19 03:16:37 CEST 
Also tested with phpmyadmin and mediawiki on both mga4 32 and 64. No issue found.

CC: (none) => dpremy

Comment 7 Marc Lattemann 2014-07-21 23:09:29 CEST 
tested with phpmyadmin, on commandline and upgrade and install a new wordpress log on mga3 32bit. Everything is working fine.

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok

Comment 8 Marc Lattemann 2014-07-21 23:26:44 CEST 
performed same tests as above on mga3 64bit as well and no errors detected. 

Please upload the advisory and then the update can be pushed to updates.

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok

Comment 9 David Walser 2014-07-24 03:04:12 CEST 
Validating now so it doesn't get missed.  The advisory still needs to be uploaded.

Sysadmins, please push this to updates for Mageia 3 and Mageia 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Rémi Verschelde 2014-07-26 11:46:45 CEST 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok advisory

Comment 11 Colin Guthrie 2014-07-26 14:50:10 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0299.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

Comment 12 David Walser 2015-02-04 20:07:42 CET 
LWN reference for CVE-2015-0391, fixed in 5.5.38 (CVE recently assigned):
http://lwn.net/Vulnerabilities/631836/
Note You need to log in before you can comment on or make changes to this bug.