USN-2781-1: MySQL vulnerabilities partially also applies to MariaDB

Bug #1512241 reported by Otto Kekäläinen
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.0 (Ubuntu)
Fix Released
Medium
Marc Deslauriers
Vivid
Fix Released
Medium
Marc Deslauriers
Wily
Fix Released
Medium
Marc Deslauriers
Xenial
Fix Released
Medium
Marc Deslauriers
mariadb-5.5 (Ubuntu)
Fix Released
Undecided
Unassigned
Vivid
Invalid
Undecided
Unassigned

Bug Description

The mentioned security notice also affect MariaDB and the latest release includes fixes.

I will produce a security release and upload it as a patch to this bug report.

Revision history for this message
Otto Kekäläinen (otto) wrote :

The latest Oracle security notices and CVEs were about issues that have been fixed in MariaDB 10.0.17 to .22

See latest changelogs and prevous changelogs updated in retrospect in commit: http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git/commit/?h=ubuntu-15.04&id=bbb953f102e98d1a7141a621a12ffe448ffce635

I've attached the diff that should be applied the previous debian/* contents. Diff is created with command

    git diff ubuntu/10.0.20-0ubuntu0.15.04.1..HEAD debian/* > 10.0.20-0ubuntu0.15.04.1..10.0.22-0ubuntu0.15.04.1.debdiff

It seems the package mariadb-10.0 is no longer synced from Debian in newer releases 15.10 and 16.04 alpha. This same update should thus be applied on top of the 15.10 and 16.04 versions too.

information type: Private Security → Public Security
Steve Beattie (sbeattie)
Changed in mariadb-10.0 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in mariadb-10.0 (Ubuntu Vivid):
status: New → Confirmed
Changed in mariadb-10.0 (Ubuntu Wily):
status: New → Confirmed
Changed in mariadb-10.0 (Ubuntu Xenial):
status: Triaged → Confirmed
Changed in mariadb-10.0 (Ubuntu Wily):
importance: Undecided → Medium
Changed in mariadb-10.0 (Ubuntu Vivid):
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in mariadb-10.0 (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.22-0ubuntu0.15.04.1

---------------
mariadb-10.0 (10.0.22-0ubuntu0.15.04.1) vivid-security; urgency=low

  * SECURITY UPDATE: Update to 10.0.22 fixes security issues:
    (LP: #1512241)
    - CVE-2015-4802
    - CVE-2015-4807
    - CVE-2015-4815
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4870
    - CVE-2015-4913
    - CVE-2015-4792
  * Includes security issues fixed in 10.0.21:
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4879
    - CVE-2015-4895
    (LP: #1512241)
  * Upstream changed mysqld_safe_syslog.cnf to fix logging error

 -- Otto Kekäläinen <email address hidden> Mon, 02 Nov 2015 09:25:30 +0200

Changed in mariadb-10.0 (Ubuntu Vivid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.22-0ubuntu0.15.10.1

---------------
mariadb-10.0 (10.0.22-0ubuntu0.15.10.1) wily-security; urgency=low

  * SECURITY UPDATE: Update to 10.0.22 fixes security issues:
    (LP: #1512241)
    - CVE-2015-4802
    - CVE-2015-4807
    - CVE-2015-4815
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4870
    - CVE-2015-4913
    - CVE-2015-4792
  * Includes security issues fixed in 10.0.21:
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4879
    - CVE-2015-4895
    (LP: #1512241)
  * Upstream changed mysqld_safe_syslog.cnf to fix logging error

 -- Otto Kekäläinen <email address hidden> Mon, 02 Nov 2015 09:25:30 +0200

Changed in mariadb-10.0 (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Otto Kekäläinen (otto) wrote :

I am also preparing the 5.5.46 update for Trusty in the 14.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.0 - 10.0.22-0ubuntu1

---------------
mariadb-10.0 (10.0.22-0ubuntu1) xenial; urgency=low

  * SECURITY UPDATE: Update to 10.0.22 fixes security issues:
    (LP: #1512241)
    - CVE-2015-4802
    - CVE-2015-4807
    - CVE-2015-4815
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4870
    - CVE-2015-4913
    - CVE-2015-4792
  * Includes security issues fixed in 10.0.21:
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4879
    - CVE-2015-4895
    (LP: #1512241)
  * Upstream changed mysqld_safe_syslog.cnf to fix logging error

 -- Otto Kekäläinen <email address hidden> Mon, 02 Nov 2015 09:25:30 +0200

Changed in mariadb-10.0 (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Otto Kekäläinen (otto) wrote :

I've now also prepared the update for 5.5.46 in Trusty. The diff is attached, created with command:

   git diff ubuntu/5.5.44-1ubuntu0.14.04.1..HEAD debian/ > 5.5.44-1ubuntu0.14.04.1..5.5.46-1ubuntu0.14.04.2.diff

Please apply this to previous version after importing new upstream (with e.g. uscan).

Unfortunately I didn't have time to do much testing now. These are minor releases and they have a good history of not causing regressions, so it should be safe to upload anyway.

Otto Kekäläinen (otto)
no longer affects: mariadb-5.5 (Ubuntu Xenial)
no longer affects: mariadb-5.5 (Ubuntu Wily)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-5.5 - 5.5.46-1ubuntu0.14.04.2

---------------
mariadb-5.5 (5.5.46-1ubuntu0.14.04.2) trusty-security; urgency=low

  * SECURITY UPDATE: Update to 5.5.46 to fix security issues (LP: #1512241):
    - CVE-2015-4913
    - CVE-2015-4870
    - CVE-2015-4861
    - CVE-2015-4858
    - CVE-2015-4836
    - CVE-2015-4830
    - CVE-2015-4826
    - CVE-2015-4815
    - CVE-2015-4807
    - CVE-2015-4802
    - CVE-2015-4792
  * Upstream release 5.5.45 fixes for the following security vulnerabilities:
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4879
  * Update new Oracle CVE identifiers to old MariaDB changelog entries
  * New patch: Extend date in test suite so that main.events_1 will pass

 -- Otto Kekäläinen <email address hidden> Tue, 03 Nov 2015 11:41:30 +0200

Changed in mariadb-5.5 (Ubuntu):
status: New → Fix Released
Changed in mariadb-5.5 (Ubuntu Vivid):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.