Fixed two CVE's http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2614 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2627
Suggested advisory: ======================== Updated mariadb packages fix security vulnerabilities: One easily exploitable vulnerability and one difficult exploitable vulnerability were discovered that can be used for a dos attack. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2614 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2627 ======================== Updated packages in core/updates_testing: ======================== mariadb-10.1.39-1.mga6 mysql-MariaDB-10.1.39-1.mga6 mariadb-cassandra-10.1.39-1.mga6 mariadb-feedback-10.1.39-1.mga6 mariadb-connect-10.1.39-1.mga6 mariadb-sphinx-10.1.39-1.mga6 mariadb-mroonga-10.1.39-1.mga6 mariadb-sequence-10.1.39-1.mga6 mariadb-spider-10.1.39-1.mga6 mariadb-extra-10.1.39-1.mga6 mariadb-obsolete-10.1.39-1.mga6 mariadb-core-10.1.39-1.mga6 mariadb-common-core-10.1.39-1.mga6 mariadb-common-10.1.39-1.mga6 mariadb-client-10.1.39-1.mga6 mariadb-bench-10.1.39-1.mga6 libmariadb18-10.1.39-1.mga6 libmariadb-devel-10.1.39-1.mga6 libmariadb-embedded18-10.1.39-1.mga6 libmariadb-embedded-devel-10.1.39-1.mga6 mariadb-debuginfo-10.1.39-1.mga6 SRPM: mariadb-10.1.39-1.mga6.src.rpm
Assignee: mageia => qa-bugs
Installed and tested without issues. Tested using: - multiple php/mysql/PDO scripts; - myphpadmin; - MySQL Workbench; - mysql CLI; - Qt5 applications using mysql plugin. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i mariadb | sort lib64mariadb18-10.1.39-1.mga6 lib64mariadb-embedded18-10.1.39-1.mga6 mariadb-10.1.39-1.mga6 mariadb-bench-10.1.39-1.mga6 mariadb-client-10.1.39-1.mga6 mariadb-common-10.1.39-1.mga6 mariadb-common-core-10.1.39-1.mga6 mariadb-core-10.1.39-1.mga6 mariadb-extra-10.1.39-1.mga6 mariadb-feedback-10.1.39-1.mga6 $ rpm -qa | grep mysql | sort lib64mysqlcppconn7-1.1.8-1.mga6 lib64qt5-database-plugin-mysql-5.9.4-1.2.mga6 mysql-workbench-6.3.9-1.mga6 perl-DBD-mysql-4.46.0-1.mga6 php-mysqli-7.2.14-1.mga6 php-mysqlnd-7.2.14-1.mga6 php-pdo_mysql-7.2.14-1.mga6 php-pear-MDB2_Driver_mysql-1.5.0-0.0.b10.mga6 php-pear-MDB2_Driver_mysqli-1.5.0-0.0.b9.mga6 $ systemctl status mysqld ● mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: enabled) Active: active (running) since Sex 2019-05-03 12:19:35 WEST; 16min ago Process: 7245 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) Main PID: 7261 (mysqld) Status: "Taking your SQL requests now..." CPU: 1.607s CGroup: /system.slice/mysqld.service └─7261 /usr/sbin/mysqld Mai 03 12:19:33 marte mysqld[7261]: 2019-05-03 12:19:33 140269545781312 [Note] InnoDB: 128 rollback segment(s) are active. Mai 03 12:19:33 marte mysqld[7261]: 2019-05-03 12:19:33 140269545781312 [Note] InnoDB: Waiting for purge to start Mai 03 12:19:33 marte mysqld[7261]: 2019-05-03 12:19:33 140269545781312 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.43-84.3 started; log sequence number 291950009 Mai 03 12:19:34 marte mysqld[7261]: 2019-05-03 12:19:34 140268877641472 [Note] InnoDB: Dumping buffer pool(s) not yet started Mai 03 12:19:34 marte mysqld[7261]: 190503 12:19:34 server_audit: MariaDB Audit Plugin version 1.4.4 STARTED. Mai 03 12:19:35 marte mysqld[7261]: 2019-05-03 12:19:35 140269545781312 [Note] /usr/sbin/mysqld: ready for connections. Mai 03 12:19:35 marte mysqld[7261]: Version: '10.1.39-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 0 Mageia MariaDB Server Mai 03 12:19:35 marte systemd[1]: Started MySQL database server. Mai 03 12:24:34 marte mysqld[7261]: 2019-05-03 12:24:34 140268856669952 [Note] feedback plugin: report to 'https://mariadb.org/feedback_plugin/post' was sent Mai 03 12:24:35 marte mysqld[7261]: 2019-05-03 12:24:35 140268856669952 [Note] feedback plugin: server replied 'ok'
CC: (none) => mageia
Advisory: ======================== Updated mariadb packages fix security vulnerabilities: Vulnerability in the MariaDB Server component of MariaDB (subcomponent: Server: Replication). Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MariaDB Server (CVE-2019-2614). Vulnerability in the MariaDB Server component of MariaDB (subcomponent: Server: Security: Privileges). Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MariaDB Server (CVE-2019-2627). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2614 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2627 https://mariadb.com/kb/en/library/mariadb-10139-release-notes/ https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL
Component: RPM Packages => SecuritySummary: New CVE's on the latest MariaDB Release => mariadb 10.1.39QA Contact: (none) => security
MGA6-64 Plasma on Lenovo B50 No installation issues At CLI: # systemctl -l status mysqld ● mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: enabled) Active: active (running) since zo 2019-05-05 14:29:27 CEST; 6min ago Main PID: 5024 (mysqld) Status: "Taking your SQL requests now..." CGroup: /system.slice/mysqld.service └─5024 /usr/sbin/mysqld mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 2019-05-05 14:29:27 140072759416896 [Note] InnoDB: Waiting for purge to start mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 2019-05-05 14:29:27 140072759416896 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.43-84.3 started; log se mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 2019-05-05 14:29:27 140072087189248 [Note] InnoDB: Dumping buffer pool(s) not yet started mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 2019-05-05 14:29:27 140072759416896 [Warning] mysqld: GSSAPI plugin : default principal 'mariadb/mach5.hviaene.thuis@' mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 2019-05-05 14:29:27 140072759416896 [ERROR] mysqld: Server GSSAPI error (major 851968, minor 2529639093) : gss_acquire_ mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 2019-05-05 14:29:27 140072759416896 [ERROR] Plugin 'gssapi' init function returned error. mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 190505 14:29:27 server_audit: MariaDB Audit Plugin version 1.4.4 STARTED. mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: 2019-05-05 14:29:27 140072759416896 [Note] /usr/sbin/mysqld: ready for connections. mei 05 14:29:27 mach5.hviaene.thuis mysqld[5024]: Version: '10.1.39-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 0 Mageia MariaDB Server mei 05 14:29:27 mach5.hviaene.thuis systemd[1]: Started MySQL database server. I wanted to test as usual with phpmyadmin, but on installing that one I get: "php-mcrypt is obsoleted by (geïnstalleerd) lib64php_common7-3:7.2.11-3.mga6.x86_64 Having to lookup another way of testing. AFAICS this is nowhere the fault of mariadb, but it's annoying. Installing mysql-workbench has the same problem.
CC: (none) => herman.viaene
From bug 23967 Comment 3 $ mysql_upgrade -p --skip-write-binlog Enter password: Phase 1/7: Checking and upgrading mysql database Processing databases mysql mysql.column_stats OK mysql.columns_priv OK mysql.db OK mysql.event OK mysql.func OK and a long list......Phase 2/7: Installing used storage engines... Skipped Phase 3/7: Fixing views Phase 4/7: Running 'mysql_fix_privilege_tables' Phase 5/7: Fixing table and database names Phase 6/7: Checking and upgrading tables Processing databases dbbglpi dbbglpi.glpi_alerts OK dbbglpi.glpi_apiclients OK dbbglpi.glpi_authldapreplicates OK dbbglpi.glpi_authldaps OK dbbglpi.glpi_authmails OK dbbglpi.glpi_autoupdatesystems OK etc ....... information_schema performance_schema test Phase 7/7: Running 'FLUSH PRIVILEGES' OK Could not create the upgrade info file '/var/lib/mysql/mysql_upgrade_info' in the MySQL Servers datadir, errno: 13 information_schema performance_schema test Phase 7/7: Running 'FLUSH PRIVILEGES' OK Could not create the upgrade info file '/var/lib/mysql/mysql_upgrade_info' in the MySQL Servers datadir, errno: 13 The last line is caused by running the command as normal user, as root all is OK.
Connected with mysql command to existing "test" database", created a table, inserted a row a values and ead the table, all OK. MariaDB [test]> show tables; Empty set (0.00 sec) MariaDB [test]> create table testtab(kol1 int, koll2 char(20), kol3 char(100)); Query OK, 0 rows affected (0.65 sec) MariaDB [test]> show tables; +----------------+ | Tables_in_test | +----------------+ | testtab | +----------------+ 1 row in set (0.00 sec) MariaDB [test]> insert into testtab(kol1,koll2,kol3) values (1,"aaa","bbbbbbbbbb"); Query OK, 1 row affected (0.05 sec) MariaDB [test]> select * from testtab -> ; +------+-------+------------+ | kol1 | koll2 | kol3 | +------+-------+------------+ | 1 | aaa | bbbbbbbbbb | +------+-------+------------+ 1 row in set (0.00 sec) Good enough for me.
Whiteboard: (none) => MGA6-64-OK
If you run php 7.2 from backports, you have to install php-mcrypt from backports as well.
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_backportCC: (none) => davidwhodgins
Fixing validated_update instead of validated_backport.
Keywords: validated_backport => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0181.html
Status: NEW => RESOLVEDResolution: (none) => FIXED