Assigning to the registered maintainer.

CC'ing two recent committers.

CC: (none) => marja11, mrambo, tmb
Assignee: bugsquad => alien

Thanks for picking this up.  I see you changed the version number...

MariaDB 10.1.35 was released today (August 7):
https://mariadb.org/mariadb-10-1-35-and-mariadb-galera-cluster-10-0-36-now-available/
https://mariadb.com/kb/en/library/mariadb-10135-release-notes/

It fixes 4 security issues.

QA Contact: (none) => security
Component: RPM Packages => Security

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixMSQL

I see the update's already building.  Advisory below.

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
MyISAM). Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MariaDB Server. Successful
attacks of this vulnerability can result in unauthorized update, insert or
delete access to some of MariaDB Server accessible data (CVE-2018-3058).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Security: Privileges). Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MariaDB Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MariaDB Server (CVE-2018-3063).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MariaDB Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MariaDB Server as well
as unauthorized update, insert or delete access to some of MariaDB Server
accessible data (CVE-2018-3064).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Options). Difficult to exploit vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of MariaDB Server accessible data as
well as unauthorized read access to a subset of MariaDB Server accessible data
(CVE-2018-3066).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066
https://mariadb.com/kb/en/library/mariadb-10134-release-notes/
https://mariadb.com/kb/en/library/mariadb-10135-release-notes/
https://mariadb.org/mariadb-10-1-34-and-latest-mariadb-connectors-now-available/
https://mariadb.org/mariadb-10-1-35-and-mariadb-galera-cluster-10-0-36-now-available/
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixMSQL
========================

Updated packages in core/updates_testing:
========================
mariadb-10.1.35-1.mga6
mysql-MariaDB-10.1.35-1.mga6
mariadb-cassandra-10.1.35-1.mga6
mariadb-feedback-10.1.35-1.mga6
mariadb-connect-10.1.35-1.mga6
mariadb-sphinx-10.1.35-1.mga6
mariadb-mroonga-10.1.35-1.mga6
mariadb-sequence-10.1.35-1.mga6
mariadb-spider-10.1.35-1.mga6
mariadb-extra-10.1.35-1.mga6
mariadb-obsolete-10.1.35-1.mga6
mariadb-core-10.1.35-1.mga6
mariadb-common-core-10.1.35-1.mga6
mariadb-common-10.1.35-1.mga6
mariadb-client-10.1.35-1.mga6
mariadb-bench-10.1.35-1.mga6
libmariadb18-10.1.35-1.mga6
libmariadb-devel-10.1.35-1.mga6
libmariadb-embedded18-10.1.35-1.mga6
libmariadb-embedded-devel-10.1.35-1.mga6

from mariadb-10.1.35-1.mga6.src.rpm

Completed: Failed 1/4754 tests, 99.98% were successful.

Failing test(s): disks.disks

http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20180807171622.mokraemer.duvel.29558/log/mariadb-10.1.35-1.mga6/build.0.20180807171728.log

thx. It was the same in cauldron on the last release. This is just an information scheme test. We skip this test ;) Rebuild is running, but with the tests, it takes ages. I think the last release was faster in building....

Installed and tested without issues.

Tests included:
- Using several web sites (e.g. PHP scripts) that use MySQL databases.
- Using the CLI client to run several complex SQL scripts.
- Using custom Qt/C++ applications that use MySQL.
- Using the CLI client manually.
- Local (unix socket) and remote (IPv4 socket) connections.
- Using MySQL workbench GUI.
- Database dump/restore.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.56-desktop-1.mga6 #1 SMP Mon Jul 16 19:36:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i mariadb | sort
lib64mariadb18-10.1.35-1.mga6
lib64mariadb-embedded18-10.1.35-1.mga6
mariadb-10.1.35-1.mga6
mariadb-bench-10.1.35-1.mga6
mariadb-client-10.1.35-1.mga6
mariadb-common-10.1.35-1.mga6
mariadb-common-core-10.1.35-1.mga6
mariadb-core-10.1.35-1.mga6
mariadb-extra-10.1.35-1.mga6
mariadb-feedback-10.1.35-1.mga6

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
This is overwriting an existing older version.
Ran phpmyadmin, deleted a previous test database, created a now one, created a test table with a primary key, another unique key and a timestamp field.All OK.
Good to go for me.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
CC: (none) => herman.viaene

advisory added, validating

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0335.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED