Ubuntu has issued an advisory on October 15: http://www.ubuntu.com/usn/usn-2384-1/ The CVEs are also covered in the latest Oracle Critical Patch Update, along with Java: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html I'm assuming that some or all of these issues are also fixed in MariaDB 5.5.38: https://blog.mariadb.org/mariadb-5-5-40-now-available/ Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
CC: (none) => oe
URL: (none) => http://lwn.net/Vulnerabilities/616447/
According to the changlog here: https://mariadb.com/kb/en/mariadb/development/release-notes/mariadb-5540-release-notes/ The following CVEs has been fixed: CVE-2014-6507 CVE-2014-6491 CVE-2014-6500 CVE-2014-6469 CVE-2014-6555 CVE-2014-6559 CVE-2014-6494 CVE-2014-6496 CVE-2014-6464 As usual not so informative CVE descriptions.
mariadb-5.5.40-1.mga3 + mariadb-5.5.40-1.mga4 has been submitted.
The ubuntu advisory (usn-2384-1) also lists these CVEs: CVE-2012-5615 CVE-2014-4274 CVE-2014-4287 CVE-2014-6463 CVE-2014-6478 CVE-2014-6484 CVE-2014-6495 CVE-2014-6505 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551
(In reply to Oden Eriksson from comment #3) > The ubuntu advisory (usn-2384-1) also lists these CVEs: > > CVE-2012-5615 > CVE-2014-4274 > CVE-2014-4287 > CVE-2014-6463 > CVE-2014-6478 > CVE-2014-6484 > CVE-2014-6495 > CVE-2014-6505 > CVE-2014-6520 > CVE-2014-6530 > CVE-2014-6551 I'm assuming these were fixed with mariadb-5.5.38? But then the MGASA-2014-0299 advisory does not match.
(In reply to Oden Eriksson from comment #4) > (In reply to Oden Eriksson from comment #3) > > The ubuntu advisory (usn-2384-1) also lists these CVEs: > > > > CVE-2012-5615 > > CVE-2014-4274 > > CVE-2014-4287 > > CVE-2014-6463 > > CVE-2014-6478 > > CVE-2014-6484 > > CVE-2014-6495 > > CVE-2014-6505 > > CVE-2014-6520 > > CVE-2014-6530 > > CVE-2014-6551 > > I'm assuming these were fixed with mariadb-5.5.38? But then the > MGASA-2014-0299 advisory does not match. Those would have been fixed in 5.5.39 then. No information was available at the time, so they were not included in the advisory.
Updated packages uploaded by Oden for Mageia 3 and Mageia 4. Advisory to come later. Updated packages in core/updates_testing: ======================== mariadb-5.5.40-1.mga3 mysql-MariaDB-5.5.40-1.mga3 mariadb-feedback-5.5.40-1.mga3 mariadb-extra-5.5.40-1.mga3 mariadb-obsolete-5.5.40-1.mga3 mariadb-core-5.5.40-1.mga3 mariadb-common-core-5.5.40-1.mga3 mariadb-common-5.5.40-1.mga3 mariadb-client-5.5.40-1.mga3 mariadb-bench-5.5.40-1.mga3 libmariadb18-5.5.40-1.mga3 libmariadb-devel-5.5.40-1.mga3 libmariadb-embedded18-5.5.40-1.mga3 libmariadb-embedded-devel-5.5.40-1.mga3 mariadb-5.5.40-1.mga4 mysql-MariaDB-5.5.40-1.mga4 mariadb-feedback-5.5.40-1.mga4 mariadb-extra-5.5.40-1.mga4 mariadb-obsolete-5.5.40-1.mga4 mariadb-core-5.5.40-1.mga4 mariadb-common-core-5.5.40-1.mga4 mariadb-common-5.5.40-1.mga4 mariadb-client-5.5.40-1.mga4 mariadb-bench-5.5.40-1.mga4 libmariadb18-5.5.40-1.mga4 libmariadb-devel-5.5.40-1.mga4 libmariadb-embedded18-5.5.40-1.mga4 libmariadb-embedded-devel-5.5.40-1.mga4 from SRPMS: mariadb-5.5.40-1.mga3.src.rpm mariadb-5.5.40-1.mga4.src.rpm
CC: (none) => alienAssignee: alien => qa-bugs
Procedure is here: https://bugs.mageia.org/show_bug.cgi?id=14015 Tested fine on mga4-64-OK.
CC: (none) => shlomifWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK has_procedure
MGA4-32-OK.
Whiteboard: MGA3TOO MGA4-64-OK has_procedure => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure
Tested on MGA3-32- - everything is fine.
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK
MGA3-64-OK .
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK MGA3-64-OK
Thanks Shlomi! Advisory: ======================== Updated mariadb packages fix security vulnerabilities: This update provides MariaDB 5.5.40, which fixes several security issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559 https://blog.mariadb.org/mariadb-5-5-40-now-available/ https://mariadb.com/kb/en/mariadb/development/release-notes/mariadb-5540-release-notes/ http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html http://www.ubuntu.com/usn/usn-2384-1/
Advisory uploaded. Validating, please push mariadb to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure MGA3-32-OK MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0424.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This also should have fixed CVE-2014-6564, according to Oracle: http://lwn.net/Vulnerabilities/622622/