Bug 23271 - mariadb 10.1.35
Summary: mariadb 10.1.35
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-03 13:58 CEST by David Walser
Modified: 2018-08-12 22:40 CEST (History)
7 users (show)

See Also:
Source RPM: mariadb-10.1.33-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-03 13:58:34 CEST
MariaDB 10.1.34 was released on June 18:
https://mariadb.org/mariadb-10-1-34-and-latest-mariadb-connectors-now-available/
https://mariadb.com/kb/en/library/mariadb-10134-release-notes/

No security fixes are listed as of now, but may be later.
Comment 1 Marja Van Waes 2018-07-04 12:49:46 CEST
Assigning to the registered maintainer.

CC'ing two recent committers.

Assignee: bugsquad => alien
CC: (none) => marja11, mrambo, tmb

Marc Krämer 2018-08-07 19:13:18 CEST

Summary: mariadb 10.1.34 => mariadb 10.1.35
CC: (none) => mageia

Marc Krämer 2018-08-07 19:13:24 CEST

Assignee: alien => mageia

Comment 2 David Walser 2018-08-08 00:45:50 CEST
Thanks for picking this up.  I see you changed the version number...

MariaDB 10.1.35 was released today (August 7):
https://mariadb.org/mariadb-10-1-35-and-mariadb-galera-cluster-10-0-36-now-available/
https://mariadb.com/kb/en/library/mariadb-10135-release-notes/

It fixes 4 security issues.

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 3 David Walser 2018-08-08 00:47:18 CEST
Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixMSQL
Comment 4 David Walser 2018-08-08 01:00:26 CEST
I see the update's already building.  Advisory below.

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
MyISAM). Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MariaDB Server. Successful
attacks of this vulnerability can result in unauthorized update, insert or
delete access to some of MariaDB Server accessible data (CVE-2018-3058).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Security: Privileges). Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MariaDB Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MariaDB Server (CVE-2018-3063).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MariaDB Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MariaDB Server as well
as unauthorized update, insert or delete access to some of MariaDB Server
accessible data (CVE-2018-3064).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Options). Difficult to exploit vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of MariaDB Server accessible data as
well as unauthorized read access to a subset of MariaDB Server accessible data
(CVE-2018-3066).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066
https://mariadb.com/kb/en/library/mariadb-10134-release-notes/
https://mariadb.com/kb/en/library/mariadb-10135-release-notes/
https://mariadb.org/mariadb-10-1-34-and-latest-mariadb-connectors-now-available/
https://mariadb.org/mariadb-10-1-35-and-mariadb-galera-cluster-10-0-36-now-available/
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixMSQL
========================

Updated packages in core/updates_testing:
========================
mariadb-10.1.35-1.mga6
mysql-MariaDB-10.1.35-1.mga6
mariadb-cassandra-10.1.35-1.mga6
mariadb-feedback-10.1.35-1.mga6
mariadb-connect-10.1.35-1.mga6
mariadb-sphinx-10.1.35-1.mga6
mariadb-mroonga-10.1.35-1.mga6
mariadb-sequence-10.1.35-1.mga6
mariadb-spider-10.1.35-1.mga6
mariadb-extra-10.1.35-1.mga6
mariadb-obsolete-10.1.35-1.mga6
mariadb-core-10.1.35-1.mga6
mariadb-common-core-10.1.35-1.mga6
mariadb-common-10.1.35-1.mga6
mariadb-client-10.1.35-1.mga6
mariadb-bench-10.1.35-1.mga6
libmariadb18-10.1.35-1.mga6
libmariadb-devel-10.1.35-1.mga6
libmariadb-embedded18-10.1.35-1.mga6
libmariadb-embedded-devel-10.1.35-1.mga6

from mariadb-10.1.35-1.mga6.src.rpm
Comment 5 David Walser 2018-08-08 01:53:58 CEST
Completed: Failed 1/4754 tests, 99.98% were successful.

Failing test(s): disks.disks

http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20180807171622.mokraemer.duvel.29558/log/mariadb-10.1.35-1.mga6/build.0.20180807171728.log
Comment 6 Marc Krämer 2018-08-08 02:38:27 CEST
thx. It was the same in cauldron on the last release. This is just an information scheme test. We skip this test ;) Rebuild is running, but with the tests, it takes ages. I think the last release was faster in building....
Marc Krämer 2018-08-08 10:13:30 CEST

Assignee: mageia => qa-bugs

Comment 7 PC LX 2018-08-08 12:22:31 CEST
Installed and tested without issues.

Tests included:
- Using several web sites (e.g. PHP scripts) that use MySQL databases.
- Using the CLI client to run several complex SQL scripts.
- Using custom Qt/C++ applications that use MySQL.
- Using the CLI client manually.
- Local (unix socket) and remote (IPv4 socket) connections.
- Using MySQL workbench GUI.
- Database dump/restore.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.56-desktop-1.mga6 #1 SMP Mon Jul 16 19:36:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i mariadb | sort
lib64mariadb18-10.1.35-1.mga6
lib64mariadb-embedded18-10.1.35-1.mga6
mariadb-10.1.35-1.mga6
mariadb-bench-10.1.35-1.mga6
mariadb-client-10.1.35-1.mga6
mariadb-common-10.1.35-1.mga6
mariadb-common-core-10.1.35-1.mga6
mariadb-core-10.1.35-1.mga6
mariadb-extra-10.1.35-1.mga6
mariadb-feedback-10.1.35-1.mga6

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

Comment 8 Herman Viaene 2018-08-10 15:33:16 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
This is overwriting an existing older version.
Ran phpmyadmin, deleted a previous test database, created a now one, created a test table with a primary key, another unique key and a timestamp field.All OK.
Good to go for me.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
CC: (none) => herman.viaene

Comment 9 Thomas Backlund 2018-08-12 22:08:11 CEST
advisory added, validating

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 10 Mageia Robot 2018-08-12 22:40:12 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0335.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.