Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 606258

Summary: <dev-db/mariadb-10.0.29: multiple vulnerabilities (OCPUJAN2017)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: mysql-bugs, toto
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
Whiteboard: B1 [glsa cve]
Package list:
=dev-db/mariadb-10.0.29 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-01-18 11:49:36 UTC
+++ This bug was initially created as a clone of Bug #606254 +++

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL

It will follow an update for mariadb too.
Comment 1 Hanno Böck gentoo-dev 2017-01-18 19:02:29 UTC
Here are the upstream changelogs:
https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10121-release-notes/

They list the following CVEs:
CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318

Fixed versions are 10.0.29 and 10.1.21. 10.0.29 is already in portage.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-01-19 08:06:53 UTC
10.1.x branch has never been stabilized.

@maintainer(s), ready to stabilize?
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 00:15:44 UTC
@ Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mariadb-10.0.29 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

# Official test instructions:
# USE='embedded extraengine perl server openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.29.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-30 13:09:50 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-31 11:44:08 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-31 15:53:07 UTC
Stable on alpha.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-31 22:49:00 UTC
Stable for PPC64.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-01 16:46:23 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-02-12 17:02:08 UTC
ppc stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-12 18:48:17 UTC
Added to existing GLSA.
Comment 11 Markus Meier gentoo-dev 2017-02-12 20:02:48 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-02-17 10:57:55 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-02-18 14:45:35 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 14 Brian Evans (RETIRED) gentoo-dev 2017-02-18 15:45:20 UTC
Cleanup complete
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-02-20 23:43:22 UTC
This issue was resolved and addressed in
 GLSA 201702-18 at https://security.gentoo.org/glsa/201702-18
by GLSA coordinator Thomas Deutschmann (whissi).