Upstream has released version 5.5.39 on August 5: https://blog.mariadb.org/mariadb-5-5-39-now-available/ It probably fixes security issues, so we should prepare an update. A SuSE update for MySQL made me think to check for this: http://lwn.net/Vulnerabilities/609963/ Reproducible: Steps to Reproduce:
CC: (none) => oeWhiteboard: (none) => MGA3TOO
I don't have any details on security issues that might have been fixed at this time, but Oden has packaged this update. Assigning to QA. Advisory to come later. For now, refer to the Release Notes and Changelog: https://mariadb.com/kb/en/mariadb/development/release-notes/mariadb-5539-release-notes/ https://mariadb.com/kb/en/mariadb/development/changelogs/mariadb-5539-changelog/ I have actually seen an inquiry about a possible security issue fixed in MySQL 5.5.39 (likely included here as well). We'll see what comes of it: http://openwall.com/lists/oss-security/2014/09/10/2 Updated packages in core/updates_testing: ======================== mariadb-5.5.39-1.mga3 mysql-MariaDB-5.5.39-1.mga3 mariadb-feedback-5.5.39-1.mga3 mariadb-extra-5.5.39-1.mga3 mariadb-obsolete-5.5.39-1.mga3 mariadb-core-5.5.39-1.mga3 mariadb-common-core-5.5.39-1.mga3 mariadb-common-5.5.39-1.mga3 mariadb-client-5.5.39-1.mga3 mariadb-bench-5.5.39-1.mga3 libmariadb18-5.5.39-1.mga3 libmariadb-devel-5.5.39-1.mga3 libmariadb-embedded18-5.5.39-1.mga3 libmariadb-embedded-devel-5.5.39-1.mga3 mariadb-5.5.39-1.mga4 mysql-MariaDB-5.5.39-1.mga4 mariadb-feedback-5.5.39-1.mga4 mariadb-extra-5.5.39-1.mga4 mariadb-obsolete-5.5.39-1.mga4 mariadb-core-5.5.39-1.mga4 mariadb-common-core-5.5.39-1.mga4 mariadb-common-5.5.39-1.mga4 mariadb-client-5.5.39-1.mga4 mariadb-bench-5.5.39-1.mga4 libmariadb18-5.5.39-1.mga4 libmariadb-devel-5.5.39-1.mga4 libmariadb-embedded18-5.5.39-1.mga4 libmariadb-embedded-devel-5.5.39-1.mga4 from SRPMS: mariadb-5.5.39-1.mga3.src.rpm mariadb-5.5.39-1.mga4.src.rpm
CC: (none) => alienAssignee: alien => qa-bugs
Can we come up with a dead simple test procedure for mariadb? I did the following Setup mariadb In root terminal: systemctl start mysqld.service Set password to: testmaria [root@localhost wilcal]# mysqladmin -u root password type password "testmaria" twice And was able to launch and go through simple processes with: phpmyadmin owncloud mediawiki Does that really mean that mariadb is installed and working? After I update mariadb simply sucessfully reopening http://localhost/owncloud/ does that mean that mariadb was successfully updated? How about a nice 5-line test procedure.
CC: (none) => wilcal.int
Certainly if it works fine with webapps like mediawiki and moodle, it should be fine. Also, make sure to run "mysql_upgrade" (as root) after installing the updated mariadb packages if you're testing updating it from an existing installation. Note that the Moodle testing procedure has detailed steps (including the exact commands) for setting up the MariaDB/MySQL database for Moodle.
Fedora has issued an advisory for this today (September 10): https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137559.html Here's a preliminary advisory. I'll update it if information on any other security issues comes to light. Advisory: ======================== Updated mariadb packages fix security vulnerability: MyISAM temporary files could be used to mount a code-execution attack (CVE-2014-4274). The mariadb package has been updated to version 5.5.39, which fixes this and several other issues. Refer to the upstream Changelog for more details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4274 https://mariadb.com/kb/en/mariadb/development/changelogs/mariadb-5539-changelog/ http://openwall.com/lists/oss-security/2014/09/10/2 https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137559.html
URL: (none) => http://lwn.net/Vulnerabilities/611457/
No PoC, that I can see. From the launchpad link on the openwall post it adds checks for file exists. It could be possible to verify this with strace, but we'd need to be able to reproduce the original issue. Test for obvious regressions. Use various webapps. You can run the tests from mariadb-bench package too if you like. They can need some coaxing to work properly though and take quite some time. # cd /usr/share/mysql/mysql-test # ./mysql-test-run.pl
Working fine on our production Moodle and Mediawiki servers at work, Mageia 4 i586.
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK
Testing mga4 64 as comment 5 I'll try with mariadb-bench also.
Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK
Testing complete mga4 64 Added the parallel=4 to use 4 available cores. # cd /usr/share/mysql/mysql-test # ./mysql-test-run --parallel=4 <snip lots of tests being run> -------------------------------------------------------------------------- The servers were restarted 778 times Spent 5595.633 of 1957 seconds executing testcases Completed: All 2695 tests were successful. 382 tests were skipped, 190 by the test itself.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK mga4-64-ok
Testing mga3 32
Testing mga3 32 These tests take a long time even on a fast computer :-))
In VirtualBox, M3, KDE, 32-bit Package(s) under test: mariadb mariadb-bench libmariadb-embedded18 mariadb-core mariadb-extra default install of mariadb & mariadb-bench [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.38-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi mariadb-bench Package mariadb-bench-5.5.38-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi libmariadb-embedded18 Package libmariadb-embedded18-5.5.38-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi mariadb-core Package mariadb-core-5.5.38-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi mariadb-extra Package mariadb-extra-5.5.38-1.mga3.i586 is already installed In su terminal cd /usr/share/mysql/mysql-test ran lots of ./mysql-test-run --parallel=4 tests. QTRL-z to stop. Some skipped, no errors reported http://localhost/owncloud/ opens and is usable install mariadb & mariadb-bench from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.39-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi mariadb-bench Package mariadb-bench-5.5.39-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi libmariadb-embedded18 Package libmariadb-embedded18-5.5.39-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi mariadb-core Package mariadb-core-5.5.39-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi mariadb-extra Package mariadb-extra-5.5.39-1.mga3.i586 is already installed In su terminal cd /usr/share/mysql/mysql-test ran lots of ./mysql-test-run --parallel=4 tests. QTRL-z to stop. Some skipped, no errors reported http://localhost/owncloud/ opens and is usable Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Stopping my mga3 32 then as it still has over 2hrs to go.
I gave up too :-))
In VirtualBox, M3, KDE, 64-bit Package(s) under test: mariadb mariadb-bench lib64mariadb-embedded18 mariadb-core mariadb-extra owncloud default install of mariadb & mariadb-bench [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.38-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi mariadb-bench Package mariadb-bench-5.5.38-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi lib64mariadb-embedded18 Package lib64mariadb-embedded18-5.5.38-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi mariadb-core Package mariadb-core-5.5.38-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi mariadb-extra Package mariadb-extra-5.5.38-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed In su terminal cd /usr/share/mysql/mysql-test ran lots of ./mysql-test-run --parallel=4 tests. QTRL-z to stop. Some skipped, lots pass, no errors reported http://localhost/owncloud/ opens and is usable install mariadb & mariadb-bench from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-5.5.39-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi mariadb-bench Package mariadb-bench-5.5.39-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi lib64mariadb-embedded18 Package lib64mariadb-embedded18-5.5.39-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi mariadb-core Package mariadb-core-5.5.39-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi mariadb-extra Package mariadb-extra-5.5.39-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.17-1.mga3.noarch is already installed In su terminal cd /usr/share/mysql/mysql-test ran lots of ./mysql-test-run --parallel=4 tests. QTRL-z to stop. Some skipped, lots pass, no errors reported http://localhost/owncloud/ opens and is usable Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
I think we have our simple procedure here. Run some simple webapp and the mysql-test for a little while and we can be reasonably assured that mariadb was installed/updated correctly and is running.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK mga4-64-ok
heh, well, i'll have you know that when i submitted packages, i did this testing locally before submission, but with --enable-big-tests and i waited for them to complete before submission... i donno if oden does this too...
This update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0377.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Full list of CVEs fixed in this update appears to be the following: CVE-2012-5615 CVE-2014-4274 CVE-2014-4287 CVE-2014-6463 CVE-2014-6478 CVE-2014-6484 CVE-2014-6495 CVE-2014-6505 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551 See Bug 14304 for more information.