Ubuntu has issued an advisory today (July 17): http://www.ubuntu.com/usn/usn-2291-1/ The CVEs are also covered in the latest Oracle Critical Patch Update, along with Java: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html I'm assuming that some or all of these issues are also fixed in MariaDB 5.5.38: https://blog.mariadb.org/mariadb-5-5-38-now-available/ Mageia 3 is also affected. Oden has actually already built this in updates_testing on June 12. Mandriva issued an advisory (no mention of security issues) on June 12: http://www.mandriva.com/en/support/security/advisories/mbs1/MDVA-2014:007/ Reproducible: Steps to Reproduce:
I guess we'll do a really generic advisory for now. It'd be nice if we can get some confirmation that those CVEs are relevant for this update. If so, we can include them. Advisory: ---------------------------------------- This update provides MariaDB 5.5.38, which fixes several bugs and potentially security issues. References: https://mariadb.com/kb/en/mariadb-5538-changelog/ http://www.mandriva.com/en/support/security/advisories/mbs1/MDVA-2014:007/ ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- libmariadb-devel-5.5.38-1.mga3 libmariadb-embedded-devel-5.5.38-1.mga3 libmariadb-embedded18-5.5.38-1.mga3 libmariadb18-5.5.38-1.mga3 mariadb-5.5.38-1.mga3 mariadb-bench-5.5.38-1.mga3 mariadb-client-5.5.38-1.mga3 mariadb-common-5.5.38-1.mga3 mariadb-common-core-5.5.38-1.mga3 mariadb-core-5.5.38-1.mga3 mariadb-extra-5.5.38-1.mga3 mariadb-feedback-5.5.38-1.mga3 mariadb-obsolete-5.5.38-1.mga3 mysql-MariaDB-5.5.38-1.mga3 libmariadb-devel-5.5.38-1.mga4 libmariadb-embedded-devel-5.5.38-1.mga4 libmariadb-embedded18-5.5.38-1.mga4 libmariadb18-5.5.38-1.mga4 mariadb-5.5.38-1.mga4 mariadb-bench-5.5.38-1.mga4 mariadb-client-5.5.38-1.mga4 mariadb-common-5.5.38-1.mga4 mariadb-common-core-5.5.38-1.mga4 mariadb-core-5.5.38-1.mga4 mariadb-extra-5.5.38-1.mga4 mariadb-feedback-5.5.38-1.mga4 mariadb-obsolete-5.5.38-1.mga4 mysql-MariaDB-5.5.38-1.mga4 from SRPMS: mariadb-5.5.38-1.mga3.src.rpm mariadb-5.5.38-1.mga4.src.rpm
CC: (none) => alien, oeAssignee: bugsquad => qa-bugsWhiteboard: (none) => MGA3TOO
it seems the primary security person from mariadb is on leave atm, but since the changelog lists a mysql-5.5.38 merge, i'm assuming yes.
Thanks AL13N! Updated advisory. Advisory: ======================== Updated mariadb packages fix security vulnerabilities: This update provides MariaDB 5.5.38, which fixes several security issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4258 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4260 https://mariadb.com/kb/en/mariadb-5538-changelog/ http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.ubuntu.com/usn/usn-2291-1/
Testing complete mga4 64 using wordpress and phpmyadmin with the updates installed
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32 with phpmyadmin & owncloud configured with mysql DB
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Also tested with phpmyadmin and mediawiki on both mga4 32 and 64. No issue found.
CC: (none) => dpremy
tested with phpmyadmin, on commandline and upgrade and install a new wordpress log on mga3 32bit. Everything is working fine.
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok
performed same tests as above on mga3 64bit as well and no errors detected. Please upload the advisory and then the update can be pushed to updates.
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
Validating now so it doesn't get missed. The advisory still needs to be uploaded. Sysadmins, please push this to updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0299.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
LWN reference for CVE-2015-0391, fixed in 5.5.38 (CVE recently assigned): http://lwn.net/Vulnerabilities/631836/