Ubuntu has issued an advisory on November 5: http://www.ubuntu.com/usn/usn-1621-1/ It lists several CVEs fixed in MySQL 5.5.28, which are also listed at the bottom of this page: http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html If any of these affect MariaDB (and they likely do), we should issue an update.
CC: (none) => alienWhiteboard: (none) => MGA2TOO, MGA1TOO
Assignee: bugsquad => alien
actually, i'm in a private security mailing list about mariadb, and the list at the bottom of the page you specified has only 3 of them that has relation to 5.5.27, the others are earlier, and i constantly keep up2date with security and major bugfixes on the stable version of mga2. ==> so, they don't likely do :-) that being said, i forwarded this to mariadb, and they are going to do a short summary soon-ish, so i can look them over and see if we already have patches for them or not. i'm removing mga1too, since at mga1too, we don't have mariadb, but there is mysql.
Whiteboard: MGA2TOO, MGA1TOO => MGA2TOO
(In reply to comment #1) > i'm removing mga1too, since at mga1too, we don't have mariadb, but there is > mysql. This is true, but contrary to popular opinion, Mageia 1 is still supported. I'll CC tmb since I think he's helped with the updates for mysql. Of course, if we update that to 5.5.28 we'll have a version upgrade issue, so we need to work together to figure out how to handle this.
CC: (none) => tmbSource RPM: mariadb => mariadb, mysqlWhiteboard: MGA2TOO => MGA2TOO, MGA1TOO
Also, we only have 5.5.25 of MariaDB in Mageia 2, so issues in relation to just 5.5.27 may not cover everything.
as i said, i have kept up2date and decided with each subrelease if we needed to patch mga2 or update. AND mariadb people will post me a summary, just in case we forgot some. also, when i removed MGA1too, i meant that the package is differently and thus should need a different bug report. however, of course it would be interesting to work together on this.
Well yes, you're absolutely right. For now, I'd like to stick with one bug report until we actually have packages to push to QA.
Oracle really annoys me to no end... most in that list have really no business being security bugs imho... anyway, i fixed 2 from a modified patch (getting rid of the features which are bunched in the same commit) for mga2 and i'd like just that one tested and fixed. cauldron will get 5.5.28 after alpha3 release, so, don't wait on that. for mga1; maybe someone would like to backports the patches from mga2 mariadb to mysql. mariadb-5.5.25-2.3 Security Advisory: ------------------ This Update fixes CVE-2012-3147 and CVE-2012-3158 which are both checking validity of certain values in protocols.
Hardware: i586 => All
Maarten, I don't quite understand what the advisory above is saying. Packages built for this update: mariadb-5.5.25-2.3.mga2 mysql-MariaDB-5.5.25-2.3.mga2 mariadb-feedback-5.5.25-2.3.mga2 mariadb-extra-5.5.25-2.3.mga2 mariadb-obsolete-5.5.25-2.3.mga2 mariadb-core-5.5.25-2.3.mga2 mariadb-common-core-5.5.25-2.3.mga2 mariadb-common-5.5.25-2.3.mga2 mariadb-client-5.5.25-2.3.mga2 mariadb-bench-5.5.25-2.3.mga2 libmariadb18-5.5.25-2.3.mga2 libmariadb-devel-5.5.25-2.3.mga2 libmariadb-embedded18-5.5.25-2.3.mga2 libmariadb-embedded-devel-5.5.25-2.3.mga2
there's 2 CVE's fixed in this release, which check certain fields of protocols for valid values - length of next field not being negative - in certain conditions the length should be exactly 6 how should the Sec Adv be reworded? should i say: unknown vectors have unknown effects on unknown service? :-)
It's just the way it was worded didn't make sense. Still not sure what you mean by "protocols." I'm guessing if it's listening as a TCP service, the protocol used for interacting with that has some input validation flaws.
well, tbh, i'm not exactly certain which protocols they are, but i'm pretty sure it'll likely be some kind of networking protocol
but since at least one of it is related to plugin authentication, it may just be the API with the auth plugin modules (like pam_auth)
The Ubuntu advisory didn't mention a few CVEs that are mentioned by RedHat. RedHat has issued an advisory on November 14: https://rhn.redhat.com/errata/RHSA-2012-1462.html from http://lwn.net/Vulnerabilities/525256/ Are any of these relevant or interesting to us? CVE-2012-0540 CVE-2012-1689 CVE-2012-1734 CVE-2012-2749
CVE-2012-0540: 5.5.23 and earlier CVE-2012-1689: 5.5.22 and earlier CVE-2012-1734: 5.5.23 and earlier CVE-2012-2749: before 5.5.24 so no, quite old CVE's, it looks like redhat security really is subpar
in the main time cauldron now has 5.5.28, looks like the splitting is on hold for 10.x due to some missing functionality, but i have confirmation that the missing functionality should be done quite soon. is mga2 mariadb validated already?
Does 5.5.28 fix all of these issues? If so we can change the version assignments on the bug. The Mageia 2 package hasn't been pushed to QA yet. Thomas also has yet to comment on how to handle Mageia 1 (although I'm guessing it's wait 2 weeks, then don't fix it :o). We can push to QA soon, although I'll let them know it's testable now (meeting starts in a few minutes).
CC: (none) => qa-bugs
mariadb has mysql merges from 5.5.28, so, it has at least all fixes reported by oracle CVE's. which come hugely late anyway. i suspect the mga1 sec fix is to wait 2 weeks and after that it's, upgrade to mariadb in mga2
Indeed. Changing the version assignment. Do you have a finalized advisory you would like to use for the update?
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
that one i had in previous comment is ok, but if it can be worded better, you may change it if you want to.
Please hold of validating this one for a day or so, I'm going to review what has to be done for mysql in mga1. If I have to bump version, this update will have to adapt to keep upgrade path...
you could just get all the patches from mga2 to mga1, they will likely work
The patch that was just added to mariadb works just fine for mysql. Patched package uploaded for Mageia 1. Packages built: mysql-5.5.23-1.2.mga1 mysql-core-5.5.23-1.2.mga1 mysql-common-core-5.5.23-1.2.mga1 mysql-common-5.5.23-1.2.mga1 mysql-client-5.5.23-1.2.mga1 mysql-bench-5.5.23-1.2.mga1 libmysql18-5.5.23-1.2.mga1 libmysqlservices-5.5.23-1.2.mga1 libmysql-devel-5.5.23-1.2.mga1 libmysqld0-5.5.23-1.2.mga1 libmysqld-devel-5.5.23-1.2.mga1 from mysql-5.5.23-1.2.mga1.src.rpm
Assigning to QA. Thanks again Maarten. How's this for a vague, yet specific advisory? :o) Using one bug since it's the same patch, same advisory, basically the same software, and the same testing procedure. Can be split if need be. Advisory: ======================== Updated mariadb and mysql packages fix security vulnerabilities: Unspecified vulnerabilities that involve checking the validity of values in fields in certain protocols (CVE-2012-3147, CVE-2012-3158). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3158 ======================== Updated packages in core/updates_testing: ======================== mysql-5.5.23-1.2.mga1 mysql-core-5.5.23-1.2.mga1 mysql-common-core-5.5.23-1.2.mga1 mysql-common-5.5.23-1.2.mga1 mysql-client-5.5.23-1.2.mga1 mysql-bench-5.5.23-1.2.mga1 libmysql18-5.5.23-1.2.mga1 libmysqlservices-5.5.23-1.2.mga1 libmysql-devel-5.5.23-1.2.mga1 libmysqld0-5.5.23-1.2.mga1 libmysqld-devel-5.5.23-1.2.mga1 mariadb-5.5.25-2.3.mga2 mysql-MariaDB-5.5.25-2.3.mga2 mariadb-feedback-5.5.25-2.3.mga2 mariadb-extra-5.5.25-2.3.mga2 mariadb-obsolete-5.5.25-2.3.mga2 mariadb-core-5.5.25-2.3.mga2 mariadb-common-core-5.5.25-2.3.mga2 mariadb-common-5.5.25-2.3.mga2 mariadb-client-5.5.25-2.3.mga2 mariadb-bench-5.5.25-2.3.mga2 libmariadb18-5.5.25-2.3.mga2 libmariadb-devel-5.5.25-2.3.mga2 libmariadb-embedded18-5.5.25-2.3.mga2 libmariadb-embedded-devel-5.5.25-2.3.mga2 from SRPMS: mysql-5.5.23-1.2.mga1.src.rpm mariadb-5.5.25-2.3.mga2.src.rpm
CC: qa-bugs => (none)Assignee: alien => qa-bugs
Re-posting the advisory, adding the Oracle reference. Advisory: ======================== Updated mariadb and mysql packages fix security vulnerabilities: Unspecified vulnerabilities that involve checking the validity of values in fields in certain protocols (CVE-2012-3147, CVE-2012-3158). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3158 http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html ======================== Updated packages in core/updates_testing: ======================== mysql-5.5.23-1.2.mga1 mysql-core-5.5.23-1.2.mga1 mysql-common-core-5.5.23-1.2.mga1 mysql-common-5.5.23-1.2.mga1 mysql-client-5.5.23-1.2.mga1 mysql-bench-5.5.23-1.2.mga1 libmysql18-5.5.23-1.2.mga1 libmysqlservices-5.5.23-1.2.mga1 libmysql-devel-5.5.23-1.2.mga1 libmysqld0-5.5.23-1.2.mga1 libmysqld-devel-5.5.23-1.2.mga1 mariadb-5.5.25-2.3.mga2 mysql-MariaDB-5.5.25-2.3.mga2 mariadb-feedback-5.5.25-2.3.mga2 mariadb-extra-5.5.25-2.3.mga2 mariadb-obsolete-5.5.25-2.3.mga2 mariadb-core-5.5.25-2.3.mga2 mariadb-common-core-5.5.25-2.3.mga2 mariadb-common-5.5.25-2.3.mga2 mariadb-client-5.5.25-2.3.mga2 mariadb-bench-5.5.25-2.3.mga2 libmariadb18-5.5.25-2.3.mga2 libmariadb-devel-5.5.25-2.3.mga2 libmariadb-embedded18-5.5.25-2.3.mga2 libmariadb-embedded-devel-5.5.25-2.3.mga2 from SRPMS: mysql-5.5.23-1.2.mga1.src.rpm mariadb-5.5.25-2.3.mga2.src.rpm
Testing complete on Mageia 1 i586 and x86-64. No poc, so just testing that mysql is working, using phpmyadmin. I'll test Mageia 2 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO MGA1-64-OK MGA1-32-OK
Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm mariadb-5.5.25-2.3.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm mysql-5.5.23-1.2.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated mariadb and mysql packages fix security vulnerabilities: Unspecified vulnerabilities that involve checking the validity of values in fields in certain protocols (CVE-2012-3147, CVE-2012-3158). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3158 http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html https://bugs.mageia.org/show_bug.cgi?id=7996
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA1-64-OK MGA1-32-OK => MGA1TOO MGA1-64-OK MGA1-32-OK MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0341
Status: NEW => RESOLVEDResolution: (none) => FIXED