http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL
@maintainers: Can you please advise as to the impact on dev-db/mariadb following this security announcement and whether we should treat the packages commonly in this bug or clone it for parallel handling?
(In reply to Kristian Fiskerstrand from comment #1) > @maintainers: Can you please advise as to the impact on dev-db/mariadb > following this security announcement and whether we should treat the > packages commonly in this bug or clone it for parallel handling? MariaDB 5.5.x follows the MySQL releases and then adds in their own changes. The in the case of 10.0.x, MariaDB includes the 5.5 code base of MySQL as well as some parts of 5.6 though some 5.6 features are reimplemented. MariaDB announces what releases fix what CVEs here[1]. Unfortunately, with Oracle being so secretive about what they fix, it is difficult to coordinate until MariaDB publishes. [1] https://mariadb.com/kb/en/mariadb/development/security/
(In reply to Brian Evans from comment #2) > (In reply to Kristian Fiskerstrand from comment #1) > > @maintainers: Can you please advise as to the impact on dev-db/mariadb > > following this security announcement and whether we should treat the > > packages commonly in this bug or clone it for parallel handling? > > MariaDB 5.5.x follows the MySQL releases and then adds in their own changes. > > The in the case of 10.0.x, MariaDB includes the 5.5 code base of MySQL as > well as some parts of 5.6 though some 5.6 features are reimplemented. > > MariaDB announces what releases fix what CVEs here[1]. > > Unfortunately, with Oracle being so secretive about what they fix, it is > difficult to coordinate until MariaDB publishes. > > [1] https://mariadb.com/kb/en/mariadb/development/security/ Thanks, continuing mariadb tracking in bug 537262
dev-db/mysql-5.6.22 has been in the tree for a while and bug #525296 has started stables (So far just arm and hppa) This satisfies the security versions listed in the Oracle link. If 5.6.22 is the main target, MariaDB-10.0.15-r1 must be stabled together in this particular case or else users can be forced to switch implementations with possible unintended consequences if they are not paying attention. Otherwise, 5.5.41 is also in the tree. I do know that multilib needs 5.6.22. I just want to make clear the situation to best serve our users.
CVE-2015-0432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0432): Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. CVE-2015-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0411): Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. CVE-2015-0409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0409): Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2015-0391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0391): Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. CVE-2015-0385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0385): Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. CVE-2015-0382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0382): Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. CVE-2015-0381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0381): Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. CVE-2015-0374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0374): Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. CVE-2014-6568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6568): Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML.
Arches, Thank you for your work. stabilized as part of Bug #525296 Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
Added to package.mask # Brian Evans <grknight@gentoo.org> (16 Feb 2015) # Mask MySQL and MariaDB 5.5 series for security bug 537216 # Please make sure mysql_upgrade has been run before moving to 5.6 # Not removing until roughly Dec 2015 as an upgrade path must # exist or else the server may crash if the admin has not done # proper maintenance prior to updating =virtual/mysql-5.5 =dev-db/mysql-5.5* =dev-db/mariadb-5.5*
This issue was resolved and addressed in GLSA 201504-05 at https://security.gentoo.org/glsa/201504-05 by GLSA coordinator Yury German (BlueKnight).
