Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647082 - <dev-db/mariadb-{10.0.34,10.1.31-r1}: Multiple vulnerabilities (CVE-2018-{2562, 2622, 2640, 2665, 2668, 2612})
Summary: <dev-db/mariadb-{10.0.34,10.1.31-r1}: Multiple vulnerabilities (CVE-2018-{256...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-09 05:48 UTC by Brian Evans (RETIRED)
Modified: 2018-11-25 01:33 UTC (History)
2 users (show)

See Also:
Package list:
dev-db/mariadb-10.0.34 alpha amd64 arm hppa ia64 ppc64 sparc x86 dev-db/mariadb-10.1.31-r1 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Runtime testing required: ---
stable-bot: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans (RETIRED) gentoo-dev 2018-02-09 05:48:41 UTC 
The latest round of MariaDB releases includes some CVE fixes:

MariaDB 5.5.59, MariaDB 10.0.34 and MariaDB 10.1.31 fix:
CVE-2018-2562
CVE-2018-2622
CVE-2018-2640
CVE-2018-2665
CVE-2018-2668

Addtionally, MariaDB 10.0.34 and MariaDB 10.1.31 fix:
CVE-2018-2612
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-14 22:49:01 UTC 
Please call for stabilization when appropriate.

Thank you,
Comment 2 Brian Evans (RETIRED) gentoo-dev 2018-03-15 14:33:20 UTC 
@ Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mariadb-10.0.34 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=dev-db/mariadb-10.1.31-r1 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86


# Official test instructions:
# USE='extraengine perl server openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.33.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 3 Stabilization helper bot gentoo-dev 2018-03-15 15:05:03 UTC 
An automated check of this bug failed - repoman reported dependency errors (170 lines truncated): 

> dependency.bad dev-db/mariadb/mariadb-10.0.34.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-libs/libpcre-8.41-r1:3=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-db/mariadb/mariadb-10.0.34.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-libs/libpcre-8.41-r1:3=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-db/mariadb/mariadb-10.0.34.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-libs/libpcre-8.41-r1:3=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-db/mariadb/mariadb-10.0.34.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-libs/libpcre-8.41-r1:3=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-db/mariadb/mariadb-10.0.34.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-libs/libpcre-8.41-r1:3=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-db/mariadb/mariadb-10.0.34.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-libs/libpcre-8.41-r1:3=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 4 Stabilization helper bot gentoo-dev 2018-03-15 17:03:40 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 5 Agostino Sarubbo gentoo-dev 2018-03-16 18:43:20 UTC 
amd64 stable
Comment 6 Matt Turner gentoo-dev 2018-03-17 22:39:32 UTC 
ppc stable for dev-db/mariadb-10.0.34 and dev-libs/libpcre-8.41-r1.

dev-db/mariadb-10.1.31-r1 is blocked on ppc due to bug 650758.

Leaving ppc@ Cc'd, and editing package list to indicate progress.
Comment 7 Matt Turner gentoo-dev 2018-03-17 22:58:14 UTC 
ppc64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-18 03:39:15 UTC 
x86 stable
Comment 9 Markus Meier gentoo-dev 2018-04-08 10:52:18 UTC 
arm stable
Comment 10 Brian Evans (RETIRED) gentoo-dev 2018-05-14 19:43:54 UTC 
hppa and sparc are not security arches any longer
Comment 11 Larry the Git Cow gentoo-dev 2018-06-24 19:38:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63f03440ff394339a16f0421f8385680bc83bf0c

commit 63f03440ff394339a16f0421f8385680bc83bf0c
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 17:26:33 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:35:04 +0000

    dev-db/mariadb: stable 10.1.31-r1 for ppc, bug #647082
    
    Bug: https://bugs.gentoo.org/647082
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 dev-db/mariadb/mariadb-10.1.31-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Stabilization helper bot gentoo-dev 2018-09-22 09:00:24 UTC 
An automated check of this bug failed - the following atoms are unknown:

dev-db/mariadb-10.0.34
dev-db/mariadb-10.1.31-r1

Please verify the atom list.
Comment 13 Matt Turner gentoo-dev 2018-11-25 01:33:07 UTC 
Newer versions stabilized for alpha in bug 661500