Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 525504 - <dev-db/mysql-5.5.40 - <dev-db/mariadb-5.5.40-r1: multiple vulnerabilities (CVE-2014-{6464,6469,6491,6494,6496,6500,6507,6555,6559})
Summary: <dev-db/mysql-5.5.40 - <dev-db/mariadb-5.5.40-r1: multiple vulnerabilities (C...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/top...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 525644
Blocks:
  Show dependency tree
 
Reported: 2014-10-15 16:02 UTC by Agostino Sarubbo
Modified: 2014-11-06 00:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-15 16:02:07 UTC
See ${URL} for details.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2014-10-15 17:07:50 UTC
dev-db/mysql-5.5.40 and dev-db/mariadb-5.5.40 are already in the tree and should be good to go stable

dev-db/mariadb still merges from Oracle's tree in the 5.5 series

Older 5.6 series dev-db/mysql have been purged from the tree
Comment 2 Agostino Sarubbo gentoo-dev 2014-10-16 10:35:07 UTC
Arches, please test and mark stable:
=dev-db/mysql-5.5.40
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"



Arches, please test and mark stable:                                                                                                                                                                                                                                           
=dev-db/mariadb-5.5.40
Target keywords : "alpha amd64 hppa x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-16 11:01:11 UTC
amd64 and x86 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2014-10-16 15:14:00 UTC
Both stable on alpha.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-17 06:47:43 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2014-10-17 13:14:16 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-17 13:27:52 UTC
ppc64 stable
Comment 8 Brian Evans (RETIRED) gentoo-dev 2014-10-17 13:46:42 UTC
There is an include header issue with dev-db/mariadb-5.5.40  working on a patch now and will notify when it is revbumped with a patch
Comment 9 Brian Evans (RETIRED) gentoo-dev 2014-10-17 14:37:28 UTC
dev-db/mariadb-5.5.40-r1 added and arches imported from previous stabled
Any further arches should target this revision instead

Reasoning for direct to stable was the simple patch added and recommended by upstream:
diff -aurN mysql.orig/config.h.cmake mysql/config.h.cmake
--- mysql.orig/config.h.cmake	2014-10-08 09:19:51.000000000 -0400
+++ mysql/config.h.cmake	2014-10-17 09:51:33.617709631 -0400
@@ -650,7 +650,7 @@
 
   __GLIBC__ is defined in <features.h>
 */
-#ifdef __GLIBC__
+#if 0
 #error <my_config.h> MUST be included first!
 #endif
Comment 10 Brian Evans (RETIRED) gentoo-dev 2014-10-17 16:16:00 UTC
Remove x86 from cc since it was stabled already
Comment 11 Agostino Sarubbo gentoo-dev 2014-10-18 14:07:14 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-10-18 14:11:24 UTC
sparc stable
Comment 13 Markus Meier gentoo-dev 2014-10-22 19:20:34 UTC
arm stable, all arches done.
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2014-10-22 22:46:20 UTC
A new GLSA request has been created for this issue.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-10-22 23:32:39 UTC
CVE-2014-6559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6559):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and
  5.6.20 and earlier, allows remote attackers to affect confidentiality via
  vectors related to C API SSL CERTIFICATE HANDLING.

CVE-2014-6555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6555):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and
  5.6.20 and earlier allows remote authenticated users to affect
  confidentiality, integrity, and availability via vectors related to
  SERVER:DML.

CVE-2014-6507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6507):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and
  5.6.20 and earlier, allows remote authenticated users to affect
  confidentiality, integrity, and availability via vectors related to
  SERVER:DML.

CVE-2014-6500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6500):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and
  5.6.20 and earlier, allows remote attackers to affect confidentiality,
  integrity, and availability via vectors related to SERVER:SSL:yaSSL, a
  different vulnerability than CVE-2014-6491.

CVE-2014-6496 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6496):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and
  5.6.20 and earlier, allows remote attackers to affect availability via
  vectors related to CLIENT:SSL:yaSSL, a different vulnerability than
  CVE-2014-6494.

CVE-2014-6494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6494):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and
  5.6.20 and earlier, allows remote attackers to affect availability via
  vectors related to CLIENT:SSL:yaSSL, a different vulnerability than
  CVE-2014-6496.

CVE-2014-6491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6491):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and
  5.6.20 and earlier allows remote attackers to affect confidentiality,
  integrity, and availability via vectors related to SERVER:SSL:yaSSL, a
  different vulnerability than CVE-2014-6500.

CVE-2014-6469 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6469):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and eariler and
  5.6.20 and earlier allows remote authenticated users to affect availability
  via vectors related to SERVER:OPTIMIZER.

CVE-2014-6464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6464):
  Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and
  5.6.20 and earlier allows remote authenticated users to affect availability
  via vectors related to SERVER:INNODB DML FOREIGN KEYS.
Comment 16 Brian Evans (RETIRED) gentoo-dev 2014-10-23 00:09:39 UTC
(In reply to Markus Meier from comment #13)
> arm stable, all arches done.

dev-db/mysql-5.5.40 still shows ~arm in CVS.  was this a mistake?
Comment 17 Markus Meier gentoo-dev 2014-10-23 19:29:29 UTC
arm stable, all arches done.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-11-06 00:18:48 UTC
This issue was resolved and addressed in
 GLSA 201411-02 at http://security.gentoo.org/glsa/glsa-201411-02.xml
by GLSA coordinator Sean Amoss (ackle).