Summary: | <dev-db/mariadb-{5.5.44,10.0.20}: multiple vulnerabilities (CVE-2015-{2582,2643,2648,3152,4752}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mysql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 556432 |
Description
Agostino Sarubbo
2015-07-20 14:04:59 UTC
$URL lists these CVEs (resorted for readability): CVE-2015-4772 CVE-2015-4771 CVE-2015-4769 CVE-2015-4767 CVE-2015-4761 CVE-2015-4757 CVE-2015-4756 CVE-2015-4752 CVE-2015-4737 CVE-2015-2661 CVE-2015-2648 CVE-2015-2643 CVE-2015-2641 CVE-2015-2639 CVE-2015-2620 CVE-2015-2617 CVE-2015-2611 CVE-2015-2582 https://mariadb.com/kb/en/mariadb/security/#cves-affecting-oracle-mysql says the follow CVEs cannot be determined since Oracle does not disclose information and listed as 5.6 only. CVE-2015-4772 CVE-2015-4771 CVE-2015-4769 CVE-2015-4767 CVE-2015-4761 CVE-2015-4756 CVE-2015-2661 CVE-2015-2641 CVE-2015-2639 CVE-2015-2617 CVE-2015-2611 CVE-2015-2567 CVE-2015-2566 So that leaves these as yet to be determined: CVE-2015-4757 CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582 Summary of maria-discuss post[1]: >Thanks. I've updated the security page[2] now. >I think that CVE-2015-4757 is fixed in 5.5.43 (and 10.0.18), and > CVE-2015-4752 > CVE-2015-2648 > CVE-2015-2643 > CVE-2015-2582 >are fixed in 5.5.44 (and 10.0.20). Though the CVEs only go up to <10.0.20 I am targeting 10.0.21 for connection issues related, but not vulnerable, to LogJam. Arches, please test and mark stable. The test suite should pass following the official instructions. Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances) Target keywords: =dev-db/mariadb-10.0.21 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 # Official test instructions: # USE='embedded extraengine perl ssl static-libs community' \ # FEATURES='test userpriv -usersandbox' \ # ebuild mariadb-10.0.21.ebuild \ # digest clean package # Parallel testing is enabled, auto will try to detect number of cores # You may set this by hand. # The default maximum is 8 unless MTR_MAX_PARALLEL is increased export MTR_PARALLEL="${MTR_PARALLEL:-auto}" [1] https://lists.launchpad.net/maria-discuss/msg02868.html [2] https://mariadb.com/kb/en/mariadb/security/ Stable on alpha. Stable for PPC64. amd64 stable Stable for HPPA. *** Bug 548134 has been marked as a duplicate of this bug. *** arm stable ppc stable x86 stable sparc stable @ia64: ping month old security bug needs some love ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Cleanup complete Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201610-06 at https://security.gentoo.org/glsa/201610-06 by GLSA coordinator Aaron Bauman (b-man). |