USN-2480-1: MySQL vulnerabilities partially also applies to MariaDB

1) Patches have been created:

The patch debdiff patch for Trusty is essentially this:
https://github.com/ottok/mariadb-5.5/compare/ubuntu/5.5.40-0ubuntu0.14.04.1...ubuntu-14.04

And for Utopic this:
https://github.com/ottok/mariadb-5.5/compare/ubuntu/5.5.40-0ubuntu0.14.10.1...ubuntu-14.10

Apply the patches above on top of the current 5.5.40 package in Ubuntu and for the non debian/* stuff, get the upstream mariadb-5.5.41.tar.gz package from MariaDB.org.

Vivid MariaDB 5.5 should be removed. Debian unstable at the moment only contains MariaDB 10.0 and so should Vivid too.

After this upgrade the MariaDB 5.5 in Trusty and Utopic are unified.

2) Testing the patches

Test build (including test suite) for Trusty and Utopic has passed successfully at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+packages

I will still do some testing upgrading/installing the Trusty package on a test machine.

I will comment on this issue when my manual tests are completed.

I have now tested manually that the new package installs OK and also upgrades both old MariaDB and MySQL correctly. Feel free to upload MariaDB 5.5.41 to Trusty and Utopic with the debdiff type patches above.

Otto, I wish we'd finished this yesterday, the cacert.pem expired today causing the builds on the build service to fail despite successful builds on my development laptop.

Any suggestions how to replace this file with one that will allow the builds to finish?

mysql-test/std_data/cacert.pem

Thanks

2015-01-29 2:37 GMT+02:00 Seth Arnold <email address hidden>:
> Otto, I wish we'd finished this yesterday, the cacert.pem expired today
> causing the builds on the build service to fail despite successful
> builds on my development laptop.
>
> Any suggestions how to replace this file with one that will allow the
> builds to finish?
>
> mysql-test/std_data/cacert.pem

I have reported this upstream, they are working on issuing a new test
certificate so that the test sutie would pass. Bad luck it expired
28th 05:55..

FYI: The cacert.pem dates back from 2005 and upstream-upstream MySQL
has the same file. I checked if there is an update but there are
nothing new in the repo since September,not even a code dump since
5.5.41 release:
https://github.com/mysql/mysql-server/tree/5.5/mysql-test/std_data

Fix pushed to github (the links above will show the latest diff) and new test builds running at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

I am travelling (in FOSDEM) and don't know when I can check the builds next time. Feel free to check the builds in a couple of hours and continue with your part of the process if everything is OK.

This bug was fixed in the package mariadb-5.5 - 5.5.41-0ubuntu0.14.10.2

---------------
mariadb-5.5 (5.5.41-0ubuntu0.14.10.2) utopic-security; urgency=medium

  * SECURITY UPDATE: Update to 5.5.41 to fix security issues (LP: #1414755)
    - CVE-2015-0411
    - CVE-2015-0382
    - CVE-2015-0381
    - CVE-2015-0432
    - CVE-2014-6568
    - CVE-2015-0374
  * As approved by Seth Arnold, this security update also imports the latest
    mariadb-5.5 packaging from Debian which includes useful and low-risk
    fixes:
    - Updated Dutch translation by Frans Spiesschaert
    - Updated control file so that mariadb-client-5.5 breaks and replaces
      the package mariadb-server-5.5 to allow overwriting the innochecksum
      man page file which has changed location (LP: #1368124) as per
      doc https://www.debian.org/doc/debian-policy/ch-relationships.html#s7.6.1
    - Backported the fix of #770177 from 10.0 to 5.5 so that the migration
      question will not be asked repeatedly. (LP: #1392539)
  * Backported new cacert.pem etc from 5.5 the replace the expired ones
 -- Otto Kekaelaeinen <email address hidden> Mon, 26 Jan 2015 21:15:00 +0200

Thanks Otto.

I've asked for mariadb-5.5 to be removed from vivid and future in https://bugs.launchpad.net/ubuntu/+source/mariadb-5.5/+bug/1417328

Thanks

Hello!

I just started getting feedback from users who's updates fail - it seems I screwed up in a bugfix and introduced a new bug. The new bug was fixed in 10.0 but somehow I missed thinking about backporting it.

What shall we do? Upload directly a 5.5.41-1ubuntu packages?

Here are the debdiffs:
https://github.com/ottok/mariadb-5.5/compare/ubuntu/5.5.41-0ubuntu0.14.04.1...ubuntu-14.04
https://github.com/ottok/mariadb-5.5/compare/ubuntu/5.5.41-0ubuntu0.14.10.1...ubuntu-14.10