Bug 25210 - mariadb new security issues (fixed in 10.1.41 and 10.3.17)
Summary: mariadb new security issues (fixed in 10.1.41 and 10.3.17)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-01 11:58 CEST by Marc Krämer
Modified: 2019-08-18 14:40 CEST (History)
5 users (show)

See Also:
Source RPM: mariadb
CVE:
Status comment:


Attachments

Marc Krämer 2019-08-01 11:59:41 CEST

Whiteboard: (none) => MGA6TOO

Marc Krämer 2019-08-01 12:00:16 CEST

Summary: new security issues in MariaDB => MariaDB new security issues

Comment 1 Marc Krämer 2019-08-01 14:13:03 CEST
MGA6:
Suggested advisory:
========================
Updated mariadb packages fix security vulnerabilities:

Some easily exploitable security issues were discovered and fixed in the latest release from this branch. This release contains some bugfixes for
- FULLTEXT INDEX
- Encrypted temporary tables
- Indexed virtual columns
- Recovery & Mariabackup


References:
https://mariadb.com/kb/en/library/mariadb-10317-release-notes/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2740 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2739 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2737 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2758

Updated packages in core/updates_testing:
========================
mariadb-10.1.41-1.mga6
mysql-MariaDB-10.1.41-1.mga6
mariadb-cassandra-10.1.41-1.mga6
mariadb-feedback-10.1.41-1.mga6
mariadb-connect-10.1.41-1.mga6
mariadb-sphinx-10.1.41-1.mga6
mariadb-mroonga-10.1.41-1.mga6
mariadb-sequence-10.1.41-1.mga6
mariadb-spider-10.1.41-1.mga6
mariadb-extra-10.1.41-1.mga6
mariadb-obsolete-10.1.41-1.mga6
mariadb-core-10.1.41-1.mga6
mariadb-common-core-10.1.41-1.mga6
mariadb-common-10.1.41-1.mga6
mariadb-client-10.1.41-1.mga6
mariadb-bench-10.1.41-1.mga6
libmariadb18-10.1.41-1.mga6
libmariadb-devel-10.1.41-1.mga6
libmariadb-embedded18-10.1.41-1.mga6
libmariadb-embedded-devel-10.1.41-1.mga6
mariadb-debuginfo-10.1.41-1.mga6

Source RPMs:
mariadb-10.1.41-1.mga6.src.rpm



MGA7:
Suggested advisory:
========================
Updated mariadb packages fix security vulnerabilities:

Some easily exploitable security issues were discovered and fixed in the latest release from this branch. This release contains some bugfixes for
- FULLTEXT INDEX
- Encrypted temporary tables
- Indexed virtual columns
- Recovery & Mariabackup


References:
https://mariadb.com/kb/en/library/mariadb-10317-release-notes/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2740 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2739 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2737 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2758

Updated packages in core/updates_testing:
========================
mariadb-10.3.17-1.mga7
mysql-MariaDB-10.3.17-1.mga7
mariadb-feedback-10.3.17-1.mga7
mariadb-connect-10.3.17-1.mga7
mariadb-sphinx-10.3.17-1.mga7
mariadb-mroonga-10.3.17-1.mga7
mariadb-sequence-10.3.17-1.mga7
mariadb-spider-10.3.17-1.mga7
mariadb-extra-10.3.17-1.mga7
mariadb-obsolete-10.3.17-1.mga7
mariadb-core-10.3.17-1.mga7
mariadb-common-core-10.3.17-1.mga7
mariadb-common-10.3.17-1.mga7
mariadb-client-10.3.17-1.mga7
mariadb-bench-10.3.17-1.mga7
libmariadb3-10.3.17-1.mga7
libmariadb-devel-10.3.17-1.mga7
libmariadbd19-10.3.17-1.mga7
libmariadb-embedded-devel-10.3.17-1.mga7
mariadb-debugsource-10.3.17-1.mga7
mariadb-debuginfo-10.3.17-1.mga7
mariadb-feedback-debuginfo-10.3.17-1.mga7
mariadb-connect-debuginfo-10.3.17-1.mga7
mariadb-sphinx-debuginfo-10.3.17-1.mga7
mariadb-mroonga-debuginfo-10.3.17-1.mga7
mariadb-sequence-debuginfo-10.3.17-1.mga7
mariadb-spider-debuginfo-10.3.17-1.mga7
mariadb-extra-debuginfo-10.3.17-1.mga7
mariadb-obsolete-debuginfo-10.3.17-1.mga7
mariadb-core-debuginfo-10.3.17-1.mga7
mariadb-common-debuginfo-10.3.17-1.mga7
mariadb-client-debuginfo-10.3.17-1.mga7
mariadb-bench-debuginfo-10.3.17-1.mga7
libmariadb3-debuginfo-10.3.17-1.mga7
libmariadbd19-debuginfo-10.3.17-1.mga7
libmariadb-embedded-devel-debuginfo-10.3.17-1.mga7


Source RPMs:
mariadb-10.3.17-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 2 PC LX 2019-08-02 16:12:13 CEST
Installed and tested without issues.

Tested using:
- php scripts using PDO/mysql;
- myphpadmin;
- Qt5 applications using the mysql plugin.
- MySQL Workbench;
- mysql CLI;

System: Mageia 7, x86_64, Intel CPU.

$ uname -a
Linux marte 5.1.18-desktop-1.mga7 #1 SMP Sun Jul 14 10:08:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$
$
$ rpm -qa | grep -iE 'mariadb|mysql' | sort
lib64mariadb3-10.3.17-1.mga7
lib64mysqlcppconn7-1.1.9-2.1.mga7
lib64qt5-database-plugin-mysql-5.12.2-2.mga7
mariadb-10.3.17-1.mga7
mariadb-client-10.3.17-1.mga7
mariadb-common-10.3.17-1.mga7
mariadb-common-core-10.3.17-1.mga7
mariadb-core-10.3.17-1.mga7
mariadb-extra-10.3.17-1.mga7
mysql-workbench-6.3.10-6.mga7
perl-DBD-mysql-4.50.0-1.mga7
php-mysqli-7.3.8-1.mga7
php-mysqlnd-7.3.8-1.mga7
php-pdo_mysql-7.3.8-1.mga7
$
$
$ systemctl status mysqld
● mysqld.service - MySQL database server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-08-02 14:45:59 WEST; 2s ago
  Process: 14468 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
 Main PID: 14483 (mysqld)
   Status: "Taking your SQL requests now..."
   Memory: 54.1M
   CGroup: /system.slice/mysqld.service
           └─14483 /usr/sbin/mysqld

ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: 10.3.17 started; log sequence number 292399285; transaction id 893247
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
ago 02 14:45:59 marte mysqld[14483]: 190802 14:45:59 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED.
ago 02 14:45:59 marte mysqld[14483]: 190802 14:45:59 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2019-08-02 14:45:59 0 [Note] Reading of all Master_info entries s>
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] Added new Master_info '' to hash table
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] /usr/sbin/mysqld: ready for connections.
ago 02 14:45:59 marte mysqld[14483]: Version: '10.3.17-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 0  Mageia MariaDB Server
ago 02 14:45:59 marte systemd[1]: Started MySQL database server.
ago 02 14:45:59 marte mysqld[14483]: 2019-08-02 14:45:59 0 [Note] InnoDB: Buffer pool(s) load completed at 190802 14:45:59

CC: (none) => mageia

Comment 3 PC LX 2019-08-07 01:02:09 CEST
Have been using this update without issues for several days now.

I'm putting and OK for x86_64 on this. Feel free to remove it if you think an OK is premature.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

PC LX 2019-08-07 01:02:18 CEST

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA7-64-OK

Comment 4 Thomas Andrews 2019-08-09 04:13:45 CEST
We need an MGA6 OK before this ca be validated.

CC: (none) => andrewsfarm

Thomas Backlund 2019-08-10 16:52:15 CEST

Keywords: (none) => advisory
CC: (none) => tmb
Component: RPM Packages => Security
QA Contact: (none) => security

David Walser 2019-08-10 18:16:53 CEST

Summary: MariaDB new security issues => mariadb new security issues (fixed in 10.1.41 and 10.3.17)

Comment 5 Brian Rockwell 2019-08-18 00:05:53 CEST
MGA6 - 64bit - Xfce - Mariadb 10.1.41

$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

- glibc-devel-2.22-29.mga6.x86_64
- kernel-userspace-headers-4.14.137-1.mga6.x86_64
- lib64aio-devel-0.3.110-4.mga6.x86_64
- lib64aio1-0.3.110-4.mga6.x86_64
- lib64bzip2-devel-1.0.6-10.mga6.x86_64
- lib64jemalloc2-4.5.0-4.mga6.x86_64
- lib64lz4-devel-1.7.5-1.mga6.x86_64
- lib64lz4_1-1.7.5-1.mga6.x86_64
- lib64lzma-devel-5.2.3-1.mga6.x86_64
- lib64lzo-devel-2.09-4.mga6.x86_64
- lib64mariadb-devel-10.1.41-1.mga6.x86_64
- lib64mariadb-embedded-devel-10.1.41-1.mga6.x86_64
- lib64mariadb-embedded18-10.1.41-1.mga6.x86_64
- lib64mariadb18-10.1.41-1.mga6.x86_64
- lib64minilzo0-2.09-4.mga6.x86_64
- lib64openssl-devel-1.0.2r-1.mga6.x86_64
- lib64pcre-devel-8.41-1.mga6.x86_64
- lib64pcre32_0-8.41-1.mga6.x86_64
- lib64pcreposix1-8.41-1.mga6.x86_64
- lib64pq5-9.6.15-1.mga6.x86_64
- lib64zlib-devel-1.2.11-4.1.mga6.x86_64
- libstdc++-devel-5.5.0-2.mga6.x86_64
- libstdc++6-5.5.0-2.mga6.x86_64
- mariadb-10.1.41-1.mga6.x86_64
- mariadb-client-10.1.41-1.mga6.x86_64
- mariadb-common-10.1.41-1.mga6.x86_64
- mariadb-common-core-10.1.41-1.mga6.x86_64
- mariadb-core-10.1.41-1.mga6.x86_64
- mariadb-extra-10.1.41-1.mga6.x86_64
- mariadb-feedback-10.1.41-1.mga6.x86_64
- mariadb-mroonga-10.1.41-1.mga6.x86_64
- mariadb-obsolete-10.1.41-1.mga6.x86_64
- mariadb-sequence-10.1.41-1.mga6.x86_64
- mariadb-sphinx-10.1.41-1.mga6.x86_64
- mariadb-spider-10.1.41-1.mga6.x86_64
- perl-DBI-1.636.0-2.mga6.x86_64
- sphinx-2.2.11-1.mga6.x86_64


Installed nextcloud to use mariadb.  Working as designed.

CC: (none) => brtians1

Comment 6 Brian Rockwell 2019-08-18 01:08:43 CEST
MGA6 32bit - Mate

$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux


- libaio1-0.3.110-4.mga6.i586
- libjemalloc2-4.5.0-4.mga6.i586
- liblz4_1-1.7.5-1.mga6.i586
- libmariadb18-10.1.41-1.mga6.i586
- libpcreposix1-8.41-1.mga6.i586
- mariadb-10.1.41-1.mga6.i586
- mariadb-client-10.1.41-1.mga6.i586
- mariadb-common-10.1.41-1.mga6.i586
- mariadb-common-core-10.1.41-1.mga6.i586
- mariadb-core-10.1.41-1.mga6.i586
- mariadb-extra-10.1.41-1.mga6.i586
- perl-DBI-1.636.0-2.mga6.i586

Repeated nextcloud test - it worked.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK MGA6-32-OK

Comment 7 Thomas Andrews 2019-08-18 02:37:01 CEST
Thank you, Brian. Validating to send it on its way...

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2019-08-18 14:40:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0224.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.