Upstream has released version 10.0.23 on December 18: https://mariadb.org/mariadb-10-0-23-now-available/ It fixes at least one security issue (client-side SSL certificate verification issue) and several bugs. Updated package uploaded for Mageia 5. Build failed for Cauldron, likely due to Boost 1.60: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20151224203457.luigiwalser.valstar.32607/log/mariadb-10.0.23-1.mga6/build.0.20151224203505.log Saving advisory for later. Advisory: ======================== Updated mariadb packages fix security vulnerability: The mariadb package has been updated to version 10.0.23. An issue with client-side SSL certificate verification has been fixed, as have several other bugs. See the upstream release notes for more details. References: https://mariadb.com/kb/en/mariadb/mariadb-10023-release-notes/ ======================== Updated packages in core/updates_testing: ======================== mariadb-10.0.23-1.mga5 mysql-MariaDB-10.0.23-1.mga5 mariadb-cassandra-10.0.23-1.mga5 mariadb-feedback-10.0.23-1.mga5 mariadb-oqgraph-10.0.23-1.mga5 mariadb-connect-10.0.23-1.mga5 mariadb-sphinx-10.0.23-1.mga5 mariadb-mroonga-10.0.23-1.mga5 mariadb-sequence-10.0.23-1.mga5 mariadb-spider-10.0.23-1.mga5 mariadb-extra-10.0.23-1.mga5 mariadb-obsolete-10.0.23-1.mga5 mariadb-core-10.0.23-1.mga5 mariadb-common-core-10.0.23-1.mga5 mariadb-common-10.0.23-1.mga5 mariadb-client-10.0.23-1.mga5 mariadb-bench-10.0.23-1.mga5 libmariadb18-10.0.23-1.mga5 libmariadb-devel-10.0.23-1.mga5 libmariadb-embedded18-10.0.23-1.mga5 libmariadb-embedded-devel-10.0.23-1.mga5 from mariadb-10.0.23-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOOCC: (none) => alien, oe, tmb, zen25000
I added rpm magic to avoid building oqgraph (for now), not a fix but... The build problem seems to be this and related to boost: /usr/bin/c++ -DBOOST_DISABLE_ASSERTS=1 -DBOOST_NO_RTTI=1 -DBOOST_NO_TYPEID=1 -DHAVE_CONFIG_H -DHAVE_OQGRAPH -DHAVE_SYSTEMD -DMYSQL_DYNAMIC_PLUGIN -Doqgraph_EXPORTS -I/home/iurt/rpmbuild/BUILD/mariadb-10.1.10/build/include -I/home/iurt/rpmbuild/BUILD/mariadb-10.1.10/include -I/home/iurt/rpmbuild/BUILD/mariadb-10.1.10/sql -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -fno-delete-null-pointer-checks -pie -fPIC -Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4 -DWITH_INNODB_DISALLOW_WRITES -fPIC -fno-rtti -Wno-deprecated -fno-strict-aliasing -fpermissive -O2 -g -DNDEBUG -D_FORTIFY_SOURCE=2 -DDBUG_OFF -fPIC -o CMakeFiles/oqgraph.dir/graphcore.cc.o -c /home/iurt/rpmbuild/BUILD/mariadb-10.1.10/storage/oqgraph/graphcore.cc In file included from /home/iurt/rpmbuild/BUILD/mariadb-10.1.10/storage/oqgraph/graphcore-graph.h:28:0, from /home/iurt/rpmbuild/BUILD/mariadb-10.1.10/storage/oqgraph/graphcore.cc:29: /home/iurt/rpmbuild/BUILD/mariadb-10.1.10/storage/oqgraph/oqgraph_shim.h:261:13: error: 'no_graph_bundle' does not name a type typedef no_graph_bundle type; ^ /home/iurt/rpmbuild/BUILD/mariadb-10.1.10/storage/oqgraph/oqgraph_shim.h:267:13: error: 'no_vertex_bundle' does not name a type typedef no_vertex_bundle type; ^ /home/iurt/rpmbuild/BUILD/mariadb-10.1.10/storage/oqgraph/oqgraph_shim.h:273:13: error: 'no_edge_bundle' does not name a type typedef no_edge_bundle type; ^ storage/oqgraph/CMakeFiles/oqgraph.dir/build.make:89: recipe for target 'storage/oqgraph/CMakeFiles/oqgraph.dir/graphcore.cc.o' failed make[2]: *** [storage/oqgraph/CMakeFiles/oqgraph.dir/graphcore.cc.o] Error 1 make[2]: Leaving directory '/home/iurt/rpmbuild/BUILD/mariadb-10.1.10/build' CMakeFiles/Makefile2:5152: recipe for target 'storage/oqgraph/CMakeFiles/oqgraph.dir/all' failed make[1]: *** [storage/oqgraph/CMakeFiles/oqgraph.dir/all] Error 2
Thanks Oden! Hopefully upstream will fix oqgraph in the next version. Assigning to QA. Advisory and package list in Comment 0.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)Assignee: bugsquad => qa-bugs
Testing MariaDB Connection id: 3 Current database: Current user: root@localhost SSL: Not in use Current pager: stdout Using outfile: '' Using delimiter: ; Server: MariaDB Server version: 10.0.23-MariaDB Mageia MariaDB Server Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: latin1 Db characterset: latin1 Client characterset: utf8 Conn. characterset: utf8 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 28 sec Threads: 1 Questions: 5 Slow queries: 0 Opens: 0 Flush tables: 1 Open tables: 63 Queries per second avg: 0.178 ---running owncloud against the database. Added a file, queried some through owncloud MariaDB [(none)]> \s -------------- mysql Ver 15.1 Distrib 10.0.23-MariaDB, for Linux (i686) using readline 5.1 Connection id: 3 Current database: Current user: root@localhost SSL: Not in use Current pager: stdout Using outfile: '' Using delimiter: ; Server: MariaDB Server version: 10.0.23-MariaDB Mageia MariaDB Server Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: latin1 Db characterset: latin1 Client characterset: utf8 Conn. characterset: utf8 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 3 min 0 sec Threads: 1 Questions: 1123 Slow queries: 0 Opens: 17 Flush tables: 1 Open tables: 64 Queries per second avg: 6.238 Seems to be working fine on 32-bit
CC: (none) => brtians1Whiteboard: (none) => MGA5-32-OK
Testing MGA5 x64 real hardware Unfortunately I have very little running which uses MariaDB, just Cacti and PHPmyadmin. BTAIM I updated to: lib64mariadb18-10.0.23-1.mga5 lib64mariadb-devel-10.0.23-1.mga5 lib64mariadb-embedded18-10.0.23-1.mga5 mariadb-10.0.23-1.mga5 mariadb-client-10.0.23-1.mga5 mariadb-common-10.0.23-1.mga5 mariadb-common-core-10.0.23-1.mga5 mariadb-core-10.0.23-1.mga5 mariadb-extra-10.0.23-1.mga5 mariadb-feedback-10.0.23-1.mga5 and stopped/re-started mysqld with MCC. Cacti showed sensible graphs for the current session & into the past. PHPmyadmin seemed to work, as did $ mysql with simple SQL commands. Nothing untoward evident, so deemed OK.
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0009.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/671635/
The issue with SSL certificate verification that was fixed is CVE-2016-2047: http://openwall.com/lists/oss-security/2016/01/26/3
This also fixed several CVEs, which I guess came from the latest Oracle CPU. Debian advisory from January 25: https://www.debian.org/security/2016/dsa-3453 from http://lwn.net/Vulnerabilities/673582/ CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616 CVE-2016-2047
Also CVE-2016-0642 and CVE-2016-0651 fixed in this update: https://mariadb.com/kb/en/mariadb/security/
LWN reference for CVE-2016-0651: http://lwn.net/Vulnerabilities/692523/