Upstream has released MariaDB 10.0.33 and 10.1.29 on November 1 and 15: https://mariadb.org/mariadb-10-2-10-mariadb-10-0-33-now-available/ https://mariadb.org/mariadb-10-1-29-mariadb-galera-cluster-10-0-33-mariadb-connectorj-releases-now-available/ According to the release notes, two security issues are fixed: https://mariadb.com/kb/en/library/mariadb-10033-release-notes/ https://mariadb.com/kb/en/library/mariadb-10129-release-notes/ which come from the last Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html I tried to update them, but they don't build due to a problem with PCRE.
Whiteboard: (none) => MGA5TOO
@ mjack I saw you assigned bug 22078 to yourself. And, of course, I saw the "MariaDB package" thread on dev ml. Thanks a lot for all your effort to fix MariaDB. (Thanks to mkraemer, too, of course) So assigning this report to you, because the mariadb maintainer has been unavailable since quite a while. Please re-assign to pkg-bugs@ml if you don't agree.
Assignee: bugsquad => jackal.jCC: (none) => alien, mageia, marja11, oeComponent: RPM Packages => SecuritySee Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=22078QA Contact: (none) => security
I have corrected the typo (with PCRE) in the latest commit, see if that works out. Credit goes mkraemer for finding it out.
@Jack: I think we may have to patch pcre here too. It depends, if "old" mariadb already made the pcre checks.
@David: according to the log "Performing Test PCRE_STACK_SIZE_OK - Failed", we have to apply a patch to pcre. If you're ok, I'll push the patch for mga5/6 to testing
Yes, please. Thanks Marc.
*** Bug 22210 has been marked as a duplicate of this bug. ***
Depends on: (none) => 20355
we have a build for mga5 (yours). And one for 6 (mine).
Thanks for the help Marc and Jack. Jack, for future reference, don't increment the release tag when a build fails. Advisory: ======================== Updated mariadb packages fix security vulnerabilities: Difficult to exploit vulnerability in MariaDB Server allows high privileged attacker with logon to the infrastructure where MariaDB Server executes to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MariaDB Server accessible data (CVE-2017-10268). Easily exploitable vulnerability in MariaDB Server allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MariaDB Server (CVE-2017-10378). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378 https://mariadb.com/kb/en/library/mariadb-10033-release-notes/ https://mariadb.com/kb/en/library/mariadb-10129-release-notes/ http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ======================== Updated packages in core/updates_testing: ======================== mariadb-10.0.33-2.mga5 mysql-MariaDB-10.0.33-2.mga5 mariadb-cassandra-10.0.33-2.mga5 mariadb-feedback-10.0.33-2.mga5 mariadb-oqgraph-10.0.33-2.mga5 mariadb-connect-10.0.33-2.mga5 mariadb-sphinx-10.0.33-2.mga5 mariadb-mroonga-10.0.33-2.mga5 mariadb-sequence-10.0.33-2.mga5 mariadb-spider-10.0.33-2.mga5 mariadb-extra-10.0.33-2.mga5 mariadb-obsolete-10.0.33-2.mga5 mariadb-core-10.0.33-2.mga5 mariadb-common-core-10.0.33-2.mga5 mariadb-common-10.0.33-2.mga5 mariadb-client-10.0.33-2.mga5 mariadb-bench-10.0.33-2.mga5 libmariadb18-10.0.33-2.mga5 libmariadb-devel-10.0.33-2.mga5 libmariadb-embedded18-10.0.33-2.mga5 libmariadb-embedded-devel-10.0.33-2.mga5 mariadb-10.1.29-2.mga6 mysql-MariaDB-10.1.29-2.mga6 mariadb-cassandra-10.1.29-2.mga6 mariadb-feedback-10.1.29-2.mga6 mariadb-connect-10.1.29-2.mga6 mariadb-sphinx-10.1.29-2.mga6 mariadb-mroonga-10.1.29-2.mga6 mariadb-sequence-10.1.29-2.mga6 mariadb-spider-10.1.29-2.mga6 mariadb-extra-10.1.29-2.mga6 mariadb-obsolete-10.1.29-2.mga6 mariadb-core-10.1.29-2.mga6 mariadb-common-core-10.1.29-2.mga6 mariadb-common-10.1.29-2.mga6 mariadb-client-10.1.29-2.mga6 mariadb-bench-10.1.29-2.mga6 libmariadb18-10.1.29-2.mga6 libmariadb-devel-10.1.29-2.mga6 libmariadb-embedded18-10.1.29-2.mga6 libmariadb-embedded-devel-10.1.29-2.mga6 from SRPMS: mariadb-10.0.33-2.mga5.src.rpm mariadb-10.1.29-2.mga6.src.rpm
Assignee: jackal.j => qa-bugsCC: (none) => jackal.j
Testing M5/64 Updated to: lib64mariadb18-10.0.33-2.mga5 lib64mariadb-devel-10.0.33-2.mga5 lib64mariadb-embedded18-10.0.33-2.mga5 mariadb-10.0.33-2.mga5 mariadb-client-10.0.33-2.mga5 mariadb-common-10.0.33-2.mga5 mariadb-common-core-10.0.33-2.mga5 mariadb-core-10.0.33-2.mga5 mariadb-extra-10.0.33-2.mga5 mariadb-feedback-10.0.33-2.mga5 Played mainly with PHPmySQL, looking at various databases, modifying a test table line, all OK. Trying Cacti (using MariaDB) showed nothing, but it has been iffy for ages; looks dead. Tried a few dumb queries with Bacula bconsole in the hope that it used its MariaDB database, results sensible in the circumstances. Nothing obvious to complain about, OKing the update.
Keywords: (none) => advisoryCC: (none) => lewyssmithWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Testing M6/64 UPDATED to: - lib64mariadb18-10.1.29-2.mga6.x86_64 - mariadb-10.1.29-2.mga6.x86_64 - mariadb-client-10.1.29-2.mga6.x86_64 - mariadb-common-10.1.29-2.mga6.x86_64 - mariadb-common-core-10.1.29-2.mga6.x86_64 - mariadb-core-10.1.29-2.mga6.x86_64 - mariadb-extra-10.1.29-2.mga6.x86_64 - mariadb-feedback-10.1.29-2.mga6.x86_64 Tried Cacti, which has no templates so no graphs, but still just uses MariaDB. Played with PHPmyAdmin to drop rows, tables, databse; create new tables, add column, insert & edit rows. Looks OK, validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0461.html
Status: NEW => RESOLVEDResolution: (none) => FIXED