Bug 537262

Comment 1 Kristian Fiskerstrand (RETIRED) 2015-01-26 22:49:05 UTC

From MariaDB 10.0.16 Release Notes on https://mariadb.com/kb/en/mariadb/mariadb-10016-release-notes/ :
Fixes for the following security vulnerabilities:

    CVE-2015-0411
    CVE-2015-0382
    CVE-2015-0381
    CVE-2015-0432
    CVE-2014-6568
    CVE-2015-0374 

InnoDB upgraded to 5.6.22
XtraDB upgraded to 5.6.22-71.0
TokuDB upgraded to 7.5.4
Updates to the CONNECT handler 

-- 
I'm not sure about status for CVE-2015-{0385,0391,0409} for mysql from bug 537216 though.

Comment 2 Brian Evans (RETIRED) 2015-01-28 14:05:43 UTC

mariadb-10.0.16 added to the tree.

Initial testing suggests it is ready.

Comment 3 Brian Evans (RETIRED) 2015-01-28 14:34:18 UTC

mariadb-10.0.16 added to the tree.

Initial testing suggests it is ready.(In reply to Kristian Fiskerstrand from comment #1)
> From MariaDB 10.0.16 Release Notes on
> https://mariadb.com/kb/en/mariadb/mariadb-10016-release-notes/ :
> Fixes for the following security vulnerabilities:
> 
>     CVE-2015-0411
>     CVE-2015-0382
>     CVE-2015-0381
>     CVE-2015-0432
>     CVE-2014-6568
>     CVE-2015-0374 
> 
> InnoDB upgraded to 5.6.22
> XtraDB upgraded to 5.6.22-71.0
> TokuDB upgraded to 7.5.4
> Updates to the CONNECT handler 
> 
> -- 
> I'm not sure about status for CVE-2015-{0385,0391,0409} for mysql from bug
> 537216 though.

The MariaDB security page shows fixed versions:
CVE-2015-0391: MariaDB 5.5.39, MariaDB 10.0.13 

From #maria on freenode:

9:27:29 AM - grknight: serg: is MariaDB affected by CVE-2015-{0385,0409} that Oracle announced for mysql in that last release?
9:29:09 AM - serg: grknight: 5.5.41 and 10.0.16 have all MySQL bugfixes from 5.5.41, so MariaDB isn't vulnerable
9:29:34 AM - serg: a couple of CVEs were 5.6 only and don't apply to MariaDB at all

Comment 4 Brian Evans (RETIRED) 2015-02-08 23:50:16 UTC

Arches,  please test and mark stable.

Target keywords:

dev-db/mariadb-10.0.16 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

@alpha and ia64: please make sure to complete bug 525296 at the same time for dev-db/mysql and virtual/mysql for best user experience. (Same vulnerabilities)

Comment 5 Agostino Sarubbo 2015-02-10 09:58:33 UTC

amd64 stable

Comment 6 Agostino Sarubbo 2015-02-10 09:59:07 UTC

x86 stable

Comment 7 Jeroen Roovers (RETIRED) 2015-02-11 16:33:02 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo 2015-02-16 10:22:51 UTC

sparc stable

Comment 9 Agostino Sarubbo 2015-02-16 10:27:29 UTC

ia64 stable

Comment 10 Agostino Sarubbo 2015-02-16 10:28:08 UTC

alpha stable

Comment 11 Markus Meier 2015-02-17 21:08:06 UTC

arm stable

Comment 12 Agostino Sarubbo 2015-02-18 08:52:05 UTC

ppc64 stable

Comment 13 Agostino Sarubbo 2015-02-18 09:17:48 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 14 Brian Evans (RETIRED) 2015-02-18 13:56:22 UTC

Vulnerable versions have been removed.

Security, please continue.

Comment 15 Kristian Fiskerstrand (RETIRED) 2015-02-19 09:47:09 UTC

Added to existing GLSA request for bug 537216 (the mysql counterpart to this bug)

Comment 16 GLSAMaker/CVETool Bot 2015-04-11 20:43:21 UTC

This issue was resolved and addressed in
 GLSA 201504-05 at https://security.gentoo.org/glsa/201504-05
by GLSA coordinator Yury German (BlueKnight).