637580 – <dev-db/mariadb-{10.0.33,10.1.29}: Multiple vulnerabilities (CVE-2017-{10268, 10378})

Bug 637580 - <dev-db/mariadb-{10.0.33,10.1.29}: Multiple vulnerabilities (CVE-2017-{10268, 10378})

Summary: <dev-db/mariadb-{10.0.33,10.1.29}: Multiple vulnerabilities (CVE-2017-{10268,...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-11-15 13:49 UTC by Brian Evans (RETIRED)
Modified:	2018-11-25 01:04 UTC (History)
CC List:	2 users (show)

See Also:	638174
Package list:	dev-db/mariadb-10.0.33 dev-db/mariadb-10.1.29 dev-libs/libpcre-8.41-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Evans (RETIRED) gentoo-dev

2017-11-15 13:49:00 UTC

The following release series for MariaDB includes fixes for CVE-2017-10378 and CVE-2017-10268:

5.5: 5.5.58
10.0: 10.0.33
10.1: 10.1.29
10.2: 10.2.10

In addition, 10.2.10 also lists CVE-2017-15365 as fixed but does not apply to other release series.

Comment 1 Brian Evans (RETIRED) gentoo-dev

2017-11-16 13:37:55 UTC

Add libpcre-8.41-r1 to the list as it fails to build otherwise

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-11-16 14:23:00 UTC

@ Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mariadb-10.0.33 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=dev-db/mariadb-10.1.29 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86


# Official test instructions:
# USE='embedded extraengine perl server openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.33.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"

Comment 3 Tobias Klausmann (RETIRED) gentoo-dev

2017-11-16 16:40:12 UTC

Stable on alpha.

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-16 21:57:51 UTC

ppc64 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-18 09:37:03 UTC

ia64 stable

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-11-19 19:21:29 UTC

x86 stable

Comment 7 Rolf Eike Beer archtester

2017-11-23 16:55:07 UTC

The libpcre part looks good on sparc.

Comment 8 Markus Meier gentoo-dev

2017-11-24 06:03:12 UTC

arm stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2017-12-29 19:26:06 UTC

amd64 stable

Comment 10 Matt Turner gentoo-dev

2018-03-17 22:16:36 UTC

Remaining stabilization will be handled in bug 647082