Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 670388

Summary: <dev-db/mariadb-{10.0.37,10.1.37,10.3.11}: multiple vulnerabilities (Nov 2018)
Product: Gentoo Security Reporter: Brian Evans (RETIRED) <grknight>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: mysql-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://mariadb.com/kb/en/library/security/
Whiteboard: B1 [glsa+ cve]
Package list:
dev-db/mariadb-10.1.37
 Runtime testing required: ---

Description Brian Evans (RETIRED) gentoo-dev 2018-11-05 19:48:18 UTC 
CVE-2018-3284: MariaDB 10.2.19
CVE-2018-3282: MariaDB 5.5.62, MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3277: MariaDB 10.2.19
CVE-2018-3251: MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3200: MariaDB 10.2.19
CVE-2018-3185: MariaDB 10.2.19
CVE-2018-3174: MariaDB 5.5.62, MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3173: MariaDB 10.2.19
CVE-2018-3162: MariaDB 10.2.19
CVE-2018-3156: MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3143: MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
Comment 1 Brian Evans (RETIRED) gentoo-dev 2018-11-19 14:39:43 UTC 
@ Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mariadb-10.0.37 alpha amd64 arm ia64 ppc ppc64 x86
=dev-db/mariadb-10.1.37 alpha amd64 arm ia64 ppc ppc64 x86


# Official test instructions:
# USE='extraengine perl server' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.37.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 2 Brian Evans (RETIRED) gentoo-dev 2018-11-19 17:54:54 UTC 
Updated list to include 10.3.11. These are the versions where the vulnerability is fixed in a series.  Unlisted series are not affected.

CVE-2018-3284: MariaDB 10.3.11, MariaDB 10.2.19
CVE-2018-3282: MariaDB 5.5.62, MariaDB 10.3.11, MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3277: MariaDB 10.3.11, MariaDB 10.2.19
CVE-2018-3251: MariaDB 10.3.11, MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3200: MariaDB 10.3.11, MariaDB 10.2.19
CVE-2018-3185: MariaDB 10.3.11, MariaDB 10.2.19
CVE-2018-3174: MariaDB 5.5.62, MariaDB 10.3.11, MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3173: MariaDB 10.3.11, MariaDB 10.2.19
CVE-2018-3162: MariaDB 10.3.11, MariaDB 10.2.19
CVE-2018-3156: MariaDB 10.3.11, MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
CVE-2018-3143: MariaDB 10.3.11, MariaDB 10.2.19, MariaDB 10.1.37, MariaDB 10.0.37
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-20 01:43:05 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2018-11-20 12:45:36 UTC 
amd64 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-25 09:47:41 UTC 
arm stable
Comment 6 Larry the Git Cow gentoo-dev 2018-11-28 16:05:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31e42179dcfdd7ed47eea22a11fac9cb8fb1346b

commit 31e42179dcfdd7ed47eea22a11fac9cb8fb1346b
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:04:23 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:04:38 +0000

    dev-db/mariadb-10.0.37-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670388
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/mariadb/mariadb-10.0.37.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-28 23:18:17 UTC 
ia64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:37:40 UTC 
alpha stable
Comment 9 Brian Evans (RETIRED) gentoo-dev 2019-05-15 13:25:31 UTC 
dev-db/mariadb-10.0.37 removed from stable list as 10.0 is obsolete and due to be removed
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-04 19:02:08 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-07-02 10:37:08 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Larry the Git Cow gentoo-dev 2019-07-02 12:27:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f3c8590c1c8bb857c79d1b06c638aed58c64b92

commit 6f3c8590c1c8bb857c79d1b06c638aed58c64b92
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-07-02 12:27:37 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-07-02 12:27:37 +0000

    dev-db/mariadb: Clean up old and vulnerable versions
    
    Bug: https://bugs.gentoo.org/679024
    Bug: https://bugs.gentoo.org/670388
    Package-Manager: Portage-2.3.68, Repoman-2.3.16
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-db/mariadb/Manifest               |   7 -
 dev-db/mariadb/mariadb-10.1.34.ebuild | 887 -------------------------------
 dev-db/mariadb/mariadb-10.1.37.ebuild | 887 -------------------------------
 dev-db/mariadb/mariadb-10.2.24.ebuild | 972 ---------------------------------
 dev-db/mariadb/mariadb-10.3.13.ebuild | 973 ---------------------------------
 dev-db/mariadb/mariadb-10.3.15.ebuild | 974 ----------------------------------
 dev-db/mariadb/mariadb-5.5.63.ebuild  | 831 -----------------------------
 7 files changed, 5531 deletions(-)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2019-08-18 02:29:59 UTC 
This issue was resolved and addressed in
 GLSA 201908-24 at https://security.gentoo.org/glsa/201908-24
by GLSA coordinator Aaron Bauman (b-man).