Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598704

Summary: <dev-db/mariadb-10.0.28: multiple vulnerabilities (CVE-2016-{3492,5584,5624,5626,5629,6663,7440,8283})
Product: Gentoo Security Reporter: Brian Evans (RETIRED) <grknight>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mike, mysql-bugs
Priority: Normal Flags: kensington: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
=dev-db/mariadb-10.0.28 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
 Runtime testing required: ---

Description Brian Evans (RETIRED) gentoo-dev 2016-11-01 20:28:28 UTC 
Per the release notes on the respective links...

The following versions include fixes to CVE vulnerabilities:

10.1.18 [1]:
Fixes for the following security vulnerabilities:

    CVE-2016-5616
    CVE-2016-5624
    CVE-2016-5626
    CVE-2016-3492
    CVE-2016-5629
    CVE-2016-8283
    CVE-2016-6663 This vulnerability was discovered by Dawid Golunski. 

10.0.28 [2]:

Fixes for the following security vulnerabilities:

    CVE-2016-5616
    CVE-2016-5624
    CVE-2016-5626
    CVE-2016-3492
    CVE-2016-5629
    CVE-2016-8283
    CVE-2016-7440
    CVE-2016-5584
    CVE-2016-6663 This vulnerability was discovered by Dawid Golunski.

5.5.53 [3]:

Fixes for the following security vulnerabilities:

    CVE-2016-7440
    CVE-2016-5584

[1] https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/
[2] https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/
[3] https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/
Comment 1 Hanno Böck gentoo-dev 2016-11-01 22:16:13 UTC 
Here's some more background, this looks pretty bad:
http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

The fixed versions (10.1.18, 10.0.28) are already in the tree. Can we start stabiliziing
Comment 2 Brian Evans (RETIRED) gentoo-dev 2016-11-02 14:44:05 UTC 
Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mariadb-10.0.28 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

# Official test instructions:
# USE='embedded extraengine perl server openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.28.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-04 08:04:05 UTC 
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-04 08:21:36 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-04 08:24:55 UTC 
x86 stable
Comment 6 Markus Meier gentoo-dev 2016-11-10 17:52:17 UTC 
arm stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-14 17:20:38 UTC 
Stable on alpha.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-11-19 06:18:13 UTC 
CVE's assigned to bug 597538 which will be addressed in the same GLSA.
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-19 14:38:41 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-19 15:15:19 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-20 09:48:24 UTC 
ppc stable.

Maintainer(s), please cleanup.
Comment 12 Brian Evans (RETIRED) gentoo-dev 2016-12-20 13:59:57 UTC 
Cleanup complete
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 13:37:46 UTC 
This issue was resolved and addressed in
 GLSA 201701-01 at https://security.gentoo.org/glsa/201701-01
by GLSA coordinator Thomas Deutschmann (whissi).