MySQL 5.5.43 is out, which, according to the latest Oracle CPU, fixes: CVE-2015-0499, CVE-2015-0501, CVE-2015-0505, CVE-2015-2571 The CPU is here: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html Debian has issued an advisory for this on April 19: https://www.debian.org/security/2015/dsa-3229 AFAIK, MariaDB 5.5.43 isn't out yet, but obviously we should update when it is. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/641082/
mariadb-5.5.43-1.mga4 has been submitted now.
CC: (none) => oe
Thanks Oden! Advisory to come later. Package list: mariadb-5.5.43-1.mga4 mysql-MariaDB-5.5.43-1.mga4 mariadb-feedback-5.5.43-1.mga4 mariadb-extra-5.5.43-1.mga4 mariadb-obsolete-5.5.43-1.mga4 mariadb-core-5.5.43-1.mga4 mariadb-common-core-5.5.43-1.mga4 mariadb-common-5.5.43-1.mga4 mariadb-client-5.5.43-1.mga4 mariadb-bench-5.5.43-1.mga4 libmariadb18-5.5.43-1.mga4 libmariadb-devel-5.5.43-1.mga4 libmariadb-embedded18-5.5.43-1.mga4 libmariadb-embedded-devel-5.5.43-1.mga4 from mariadb-5.5.43-1.mga4.src.rpm
CC: (none) => alienAssignee: alien => qa-bugs
https://mariadb.com/kb/en/mariadb/mariadb-5543-release-notes/ Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer (CVE-2015-2571). Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via vectors related to DDL (CVE-2015-0505). Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling (CVE-2015-0501). Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Federated (CVE-2015-0499).
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:227/
Thanks Oden! Advisory: ======================== Updated mariadb packages fix security vulnerabilities: This update provides MariaDB 5.5.43, which fixes several security issues and other bugs. Please refer to the Oracle Critical Patch Update Advisories and the Release Notes for MariaDB for further information regarding the security vulnerabilities. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2571 https://mariadb.com/kb/en/mariadb/mariadb-5543-release-notes/ http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A227/
Update works fine on our production Moodle server at work, Mageia 4 i586.
Whiteboard: (none) => MGA4-32-OK
Testing (very minimally) MGA4 x64 real hardware. Having played with phpmyadmin and Moodle (using MariaDB), everything seems to function within my meagre knowledge especially of how to drive Moodle. So, thanks to David's more +ve feedback Comment 5: OK.
CC: (none) => lewyssmithWhiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0193.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Other CVEs that may have been relevant: http://lwn.net/Vulnerabilities/645935/