MariaDB has released version 10.0.29 on January 13: https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/ It fixes several security issues (listed in the release notes above). 10.0.29 is building for Mageia 5 right now, advisory to come later.
URL: (none) => https://lwn.net/Vulnerabilities/712067/
In VirtualBox, M5, KDE, 32-bit Create mariadb/mysql db PW: testmaria Package(s) under test: mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common mariadb-common-core mariadb-core mariadb-extra default install of mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common mariadb-common-core mariadb-core mariadb-extra [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libmariadb-embedded18 Package libmariadb-embedded18-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libmariadb18 Package libmariadb18-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-bench Package mariadb-bench-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-client Package mariadb-client-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-common Package mariadb-common-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-common-core Package mariadb-common-core-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-core Package mariadb-core-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-extra Package mariadb-extra-10.0.28-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.4.15.9-1.mga5.noarch is already installed http://localhost/mediawiki opens, sets up and is usable http://localhost/phpmyadmin opens, sets up, I can create databases and is usable install mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common mariadb-common-core mariadb-core mariadb-extra from updates_testing [root@localhost wilcal]# systemctl start mysqld.service Job for mysqld.service failed. See "systemctl status mysqld.service" and "journalctl -xe" for details. Attached.
CC: (none) => wilcal.int
Created attachment 8878 [details] mariadb fail to start journalctl -xe output
In VirtualBox, M5, KDE, 32-bit Just install mariadb from updates_testing Create mariadb/mysql db PW: testmaria Package(s) under test: mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common mariadb-common-core mariadb-core mariadb-extra default install of mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common mariadb-common-core mariadb-core mariadb-extra [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libmariadb-embedded18 Package libmariadb-embedded18-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libmariadb18 Package libmariadb18-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-bench Package mariadb-bench-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-client Package mariadb-client-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-common Package mariadb-common-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-common-core Package mariadb-common-core-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-core Package mariadb-core-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb-extra Package mariadb-extra-10.0.29-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.4.15.9-1.mga5.noarch is already installed [root@localhost wilcal]# systemctl start mysqld.service Job for mysqld.service failed. See "systemctl status mysqld.service" and "journalctl -xe" for details.
In VirtualBox, M5, KDE, 64-bit Install mariadb from updates_testing Package(s) under test: mariadb libmariadb-embedded18 libmariadb18 mariadb-bench mariadb-client mariadb-common mariadb-common-core mariadb-core mariadb-extra Errors encountered during install: 2 installation transactions failed There was a problem during the installation: file /usr/share/mysql/default/errmsg.sys from install of libmariadb-embedded18-10.0.29-1.mga5.i586 conflicts with file from package lib64mariadb-embedded18-10.0.28-1.mga5.x86_64 mariadb-client(x86-64) = 10.0.29-1.mga5 is needed by mariadb-10.0.29-1.mga5.x86_64 mariadb-common(x86-64) = 10.0.29-1.mga5 is needed by mariadb-10.0.29-1.mga5.x86_64 mariadb-common-core(x86-64) >= 10.0.29-1.mga5 is needed by mariadb-core-10.0.29-1.mga5.x86_64 mariadb-client(x86-64) >= 10.0.29-1.mga5 is needed by mariadb-bench-10.0.29-1.mga5.x86_64 perl(GD) is needed by mariadb-bench-10.0.29-1.mga5.x86_64 There was a problem during the installation: file /usr/share/mysql/default/errmsg.sys from install of libmariadb-embedded18-10.0.29-1.mga5.i586 conflicts with file from package lib64mariadb-embedded18-10.0.28-1.mga5.x86_64
Debian has issued an advisory for this on January 22: https://www.debian.org/security/2017/dsa-3770 So it says they updated to 10.0.29, but I can't see that on packages.debian.org or sources.debian.net, so I don't know what they did to get around this issue.
Depends on: (none) => 20143Whiteboard: (none) => feedback
(In reply to David Walser from comment #5) > So it says they updated to 10.0.29, but I can't see that on > packages.debian.org or sources.debian.net, so I don't know what they did to > get around this issue. Thanks David. Usually testing mariadb is pretty easy for me. This situation is beyond my understanding. Should this go back to the maintainer?
(In reply to William Kenney from comment #6) > Thanks David. Usually testing mariadb is pretty easy for me. This situation > is beyond my understanding. Should this go back to the maintainer? It just needs to be fixed. It doesn't really need to "go back" anywhere since it doesn't really have a maintainer and I'm already aware of the issue.
MGA5-32 on AsusA6000VM No installation issues for 10.0.29 But problem at CLI as root # systemctl start mysqld Job for mysqld.service failed. See "systemctl status mysqld.service" and "journalctl -xe" for details. # systemctl status mysqld.service â mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled) Active: failed (Result: start-limit) since vr 2017-01-27 11:14:32 CET; 3min 9s ago Process: 29031 ExecStartPost=/usr/sbin/mysqld-wait-ready $MAINPID (code=exited, status=1/FAILURE) Process: 28814 ExecStart=/usr/bin/mysqld_safe --nowatch (code=exited, status=0/SUCCESS) Process: 28797 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) jan 27 11:14:32 mach6.hviaene.thuis systemd[1]: Unit mysqld.service entered failed state. jan 27 11:14:32 mach6.hviaene.thuis systemd[1]: mysqld.service failed. jan 27 11:14:32 mach6.hviaene.thuis systemd[1]: start request repeated too quickly for mysqld.service jan 27 11:14:32 mach6.hviaene.thuis systemd[1]: Failed to start MySQL database server. jan 27 11:14:32 mach6.hviaene.thuis systemd[1]: Unit mysqld.service entered failed state. jan 27 11:14:32 mach6.hviaene.thuis systemd[1]: mysqld.service failed. Checked access rights on /var/lib/mysqld : OK for mysqluser Googled and apparently could start with # mysqld_safe --defaults-file=/etc/my.cnf 170127 11:29:53 mysqld_safe Logging to '/var/log/mysqld/mysqld.log'. 170127 11:29:53 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql That allowed me (on another root prompt) to # mysqladmin password tester but the systemctl kept giving failed state, but the ps command showed process running, and I killed the process to have another go at systemctl, to no avail
CC: (none) => herman.viaene
The service issue should be fixed in mariadb-10.0.29-1.1.mga5. Please test again, including testing upgrades from mariadb-10.0.28-1.mga5.
Whiteboard: feedback => (none)
Now uploading mariadb-10.0.29-1.2.mga5 with further fixes.
With the patch from https://bugs.mageia.org/show_bug.cgi?id=20143#c58 applied, and perl-DBD-mysql installed for bug 20275 mariadb-bench now shows All 10 test executed successfully. No problems found having updated from the prior version. While 10.0.29-1.2 is not a regression from the prior version, would you prefer we validate this version, or wait for the above 2 bugs to be fixed too?
CC: (none) => davidwhodgins
Bug 20143 *is* a regression from the prior version, so if it's still not fixed by the changes in 1.2.mga5, then we're not done. Is this the case?
(In reply to David Walser from comment #12) > Bug 20143 *is* a regression from the prior version, so if it's still not > fixed by the changes in 1.2.mga5, then we're not done. Is this the case? Yes
Just to clarify, without the patch, mysqld does start, but systemd fails to detect that it has started, and forces a restart every time the timeout expires, currently every 5 minutes, which breaks access for things like mariadb-bench. systemctl status mysqld.service shows it as active (starting), not active (running), while it is running. While https://mariadb.com/kb/en/mariadb/systemd/ indicates mariadb version 10.1.8 is the version that requires mysqld_safe no longer be used, it seems that with the current patches applied, it also now applies to our 10.0.29 version, and my testing indicates it works ok without mysqld_safe.
Whiteboard: (none) => feedback
Sorry nobody else is looking at this and I've been very busy. I'll try to get to it this weekend. Note to self, openSUSE added a patch to fix a use-after-free: https://build.opensuse.org/package/rdiff/openSUSE:Leap:42.2:Update/mariadb?linkrev=base&rev=2 They also added a mysqld_safe_helper to the files list; not sure what that is.
10.0.29-1.2 depends on systemd-notify support, which was not added to mariadb until version 10.1.8, so it won't work (unless backport of the systemd-notify support is also added). 10.0.29-1 with Raphael Gertz's patch for Cauldron bug 20143: https://bugs.mageia.org/attachment.cgi?id=8915 seems to work fine.
CC: (none) => gm2.asp
Mageia 5 build building now with mysqld.service changes reverted and using rapsys's patch to mysqld-wait-ready.
mariadb:10.0.29-1.3.mga5 is now available in the repository: Core Updates-Testing
CC: (none) => nathan95
MGA5-32 on Asus A6000VM Xfce No installation issues At CLI: # systemctl start mysqld # systemctl -l status mysqld.service â mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled) Active: active (running) since zo 2017-02-19 11:26:15 CET; 10min ago Main PID: 12993 (mysqld) CGroup: /system.slice/mysqld.service ââ12993 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --log-error=/var/log/mysqld/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock --port=3306 feb 19 11:26:12 mach6.hviaene.thuis mysqld_safe[12779]: 170219 11:26:12 mysqld_safe Logging to '/var/log/mysqld/mysqld.log'. With phpmyadmin I could create and drop a table in "test" database.
Whiteboard: (none) => MGA5-32-OK
Testing complete on Mageia 5 x86_64, also using phpmyadmin for testing. Still need the advisory before this can be pushed.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Advisory: ======================== Updated mariadb packages fix security vulnerabilities: Root Privilege Escalation (CVE-2016-6664). Unspecified vulnerability affecting the Optimizer component (CVE-2017-3238). Unspecified vulnerability affecting the Charsets component (CVE-2017-3243). Unspecified vulnerability affecing the DML component (CVE-2017-3244). Unspecified vulnerability affecting InnoDB (CVE-2017-3257). Unspecified vulnerability in the DDL component (CVE-2017-3258). Unsafe chmod/chown use in init script (CVE-2017-3265). Unrestricted mysqld_safe's ledir (CVE-2017-3291). Insecure error log file handling in mysqld_safe, due to an incomplete fix for CVE-2016-6664 (CVE-2017-3312). Unspecified vulnerability affecting Logging (CVE-2017-3317). Unspecified vulnerability affecting Error Handling (CVE-2017-3318). Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3312 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318 https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/ http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html https://lists.opensuse.org/opensuse-updates/2017-02/msg00074.html
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0054.html
Status: NEW => RESOLVEDResolution: (none) => FIXED