19274 – mariadb 10.0.27

Bug 19274 - mariadb 10.0.27

Summary: mariadb 10.0.27

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/700651/
Whiteboard:	MGA5-64-OK MGA5-32-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-08-31 02:05 CEST by David Walser
Modified:	2016-11-09 17:21 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	mariadb-10.0.26-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-08-31 02:05:06 CEST

MariaDB 10.0.27 has been released on August 25:
https://mariadb.com/kb/en/mariadb-10027-release-notes/

Updated package uploaded for Mageia 5.

Advisory:
----------------------------------------

This is a maintenance and bugfix release that upgrades MariaDB to
the latest 10.0.27 version which resolves various upstream bugs.

References:
https://mariadb.com/kb/en/mariadb-10027-release-notes/
https://mariadb.com/kb/en/mariadb-10027-changelog/
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
mariadb-10.0.27-1.mga5
mysql-MariaDB-10.0.27-1.mga5
mariadb-cassandra-10.0.27-1.mga5
mariadb-feedback-10.0.27-1.mga5
mariadb-oqgraph-10.0.27-1.mga5
mariadb-connect-10.0.27-1.mga5
mariadb-sphinx-10.0.27-1.mga5
mariadb-mroonga-10.0.27-1.mga5
mariadb-sequence-10.0.27-1.mga5
mariadb-spider-10.0.27-1.mga5
mariadb-extra-10.0.27-1.mga5
mariadb-obsolete-10.0.27-1.mga5
mariadb-core-10.0.27-1.mga5
mariadb-common-core-10.0.27-1.mga5
mariadb-common-10.0.27-1.mga5
mariadb-client-10.0.27-1.mga5
mariadb-bench-10.0.27-1.mga5
libmariadb18-10.0.27-1.mga5
libmariadb-devel-10.0.27-1.mga5
libmariadb-embedded18-10.0.27-1.mga5
libmariadb-embedded-devel-10.0.27-1.mga5

from mariadb-10.0.27-1.mga5.src.rpm

Comment 1 Dave Hodgins 2016-09-12 00:22:47 CEST

Tested on Mageia 5 i586 and x86_64 (basic testing only).

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 David Walser 2016-09-12 17:01:05 CEST

A security issue fixed in this update was disclosed today:
http://openwall.com/lists/oss-security/2016/09/12/4

Please update the advisory in SVN.

Advisory:
========================

Updated mariadb packages fix security vulnerability:

MariaDB before 10.0.27 allowed a malicious user to create a my.cnf in the
datadir and, under certain circumstances, execute arbitrary code as mysql (or
even root) user (CVE-2016-6662).

The mariadb package has been updated to version 10.0.27. It fixes this issue
and other bugs.  See the upstream release notes for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
https://mariadb.com/kb/en/mariadb-10027-release-notes/
https://mariadb.com/kb/en/mariadb-10027-changelog/

Component: RPM Packages => Security
QA Contact: (none) => security
Whiteboard: MGA5-64-OK MGA5-32-OK advisory => MGA5-64-OK MGA5-32-OK

Dave Hodgins 2016-09-13 01:35:36 CEST

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

David Walser 2016-09-14 18:57:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/700651/

Comment 3 Mageia Robot 2016-09-21 22:39:09 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGAA-2016-0113.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 David Walser 2016-11-09 17:21:08 CET

CVE-2016-5630 and CVE-2016-5612 also fixed in this update.

LWN reference for CVE-2016-5630:
http://lwn.net/Vulnerabilities/706021/

CVE-2016-5612 is on this one with other issues mostly fixed in 10.0.28:
http://lwn.net/Vulnerabilities/705211/

Note You need to log in before you can comment on or make changes to this bug.