Bug 23407 - mariadb 10.0.36
Summary: mariadb 10.0.36
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-08 00:58 CEST by David Walser
Modified: 2018-08-31 23:13 CEST (History)
4 users (show)

See Also:
Source RPM: mariadb-10.0.35-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-08 00:58:00 CEST 
MariaDB 10.0.36 has been released on August 1:
https://mariadb.org/mariadb-10-0-36-now-available/
https://mariadb.com/kb/en/library/mariadb-10036-release-notes/

It fixes 4 security issues.

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixMSQL

Update submitted to the build system.  Saving the advisory below.

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
MyISAM). Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MariaDB Server. Successful
attacks of this vulnerability can result in unauthorized update, insert or
delete access to some of MariaDB Server accessible data (CVE-2018-3058).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Security: Privileges). Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MariaDB Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MariaDB Server (CVE-2018-3063).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise MariaDB Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MariaDB Server as well
as unauthorized update, insert or delete access to some of MariaDB Server
accessible data (CVE-2018-3064).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Options). Difficult to exploit vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of MariaDB Server accessible data as
well as unauthorized read access to a subset of MariaDB Server accessible data
(CVE-2018-3066).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066
https://mariadb.com/kb/en/library/mariadb-10036-release-notes/
https://mariadb.org/mariadb-10-0-36-now-available/
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixMSQL
========================

Updated packages in core/updates_testing:
========================
mariadb-10.0.36-1.mga5
mysql-MariaDB-10.0.36-1.mga5
mariadb-cassandra-10.0.36-1.mga5
mariadb-feedback-10.0.36-1.mga5
mariadb-oqgraph-10.0.36-1.mga5
mariadb-connect-10.0.36-1.mga5
mariadb-sphinx-10.0.36-1.mga5
mariadb-mroonga-10.0.36-1.mga5
mariadb-sequence-10.0.36-1.mga5
mariadb-spider-10.0.36-1.mga5
mariadb-extra-10.0.36-1.mga5
mariadb-obsolete-10.0.36-1.mga5
mariadb-core-10.0.36-1.mga5
mariadb-common-core-10.0.36-1.mga5
mariadb-common-10.0.36-1.mga5
mariadb-client-10.0.36-1.mga5
mariadb-bench-10.0.36-1.mga5
libmariadb18-10.0.36-1.mga5
libmariadb-devel-10.0.36-1.mga5
libmariadb-embedded18-10.0.36-1.mga5
libmariadb-embedded-devel-10.0.36-1.mga5

from mariadb-10.0.36-1.mga5.src.rpm
Comment 1 David Walser 2018-08-08 05:01:05 CEST 
It built.  Advisory and package list in Comment 0.

Assignee: luigiwalser => qa-bugs

Thomas Backlund 2018-08-10 12:31:20 CEST

Version: Cauldron => 5
CC: (none) => tmb

Comment 2 Herman Viaene 2018-08-10 17:08:22 CEST 
MGA5-32 Xfce on Dell Latitude D600
No installation issues
This is overwriting an existing older version.
Ran phpmyadmin, deleted two previous test databases, created a now one, created a test table with a primary key, another unique key and a timestamp field.All OK.
Good to go for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 3 Thomas Andrews 2018-08-29 03:38:36 CEST 
On real hardware, Athlon X2 7750, 8GB RAM, nvidia340 graphics, atheros wifi, 64-bit KDE4.

Packages updated cleanly. On the basis of this and Herman's test, giving this a 64-bit OK and validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-08-31 19:47:02 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2018-08-31 23:13:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0359.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.