Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537262 - <dev-db/mariadb-10.0.16: multiple vulnerabilities (CVE-2014-6568,CVE-2015-{0374,0381,0382,0411,0432})
Summary: <dev-db/mariadb-10.0.16: multiple vulnerabilities (CVE-2014-6568,CVE-2015-{03...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-21 16:28 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-04-11 20:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-21 16:28:21 UTC
+++ This bug was initially created as a clone of Bug #537216 +++


Creating clone to track mariadb as separate bug for clarity. As far as I'm aware there have not been any release yet fixing these issues in mariadb.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-26 22:49:05 UTC
From MariaDB 10.0.16 Release Notes on https://mariadb.com/kb/en/mariadb/mariadb-10016-release-notes/ :
Fixes for the following security vulnerabilities:

    CVE-2015-0411
    CVE-2015-0382
    CVE-2015-0381
    CVE-2015-0432
    CVE-2014-6568
    CVE-2015-0374 

InnoDB upgraded to 5.6.22
XtraDB upgraded to 5.6.22-71.0
TokuDB upgraded to 7.5.4
Updates to the CONNECT handler 

-- 
I'm not sure about status for CVE-2015-{0385,0391,0409} for mysql from bug 537216 though.
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2015-01-28 14:05:43 UTC
mariadb-10.0.16 added to the tree.

Initial testing suggests it is ready.
Comment 3 Brian Evans Gentoo Infrastructure gentoo-dev 2015-01-28 14:34:18 UTC
mariadb-10.0.16 added to the tree.

Initial testing suggests it is ready.(In reply to Kristian Fiskerstrand from comment #1)
> From MariaDB 10.0.16 Release Notes on
> https://mariadb.com/kb/en/mariadb/mariadb-10016-release-notes/ :
> Fixes for the following security vulnerabilities:
> 
>     CVE-2015-0411
>     CVE-2015-0382
>     CVE-2015-0381
>     CVE-2015-0432
>     CVE-2014-6568
>     CVE-2015-0374 
> 
> InnoDB upgraded to 5.6.22
> XtraDB upgraded to 5.6.22-71.0
> TokuDB upgraded to 7.5.4
> Updates to the CONNECT handler 
> 
> -- 
> I'm not sure about status for CVE-2015-{0385,0391,0409} for mysql from bug
> 537216 though.

The MariaDB security page shows fixed versions:
CVE-2015-0391: MariaDB 5.5.39, MariaDB 10.0.13 

From #maria on freenode:

9:27:29 AM - grknight: serg: is MariaDB affected by CVE-2015-{0385,0409} that Oracle announced for mysql in that last release?
9:29:09 AM - serg: grknight: 5.5.41 and 10.0.16 have all MySQL bugfixes from 5.5.41, so MariaDB isn't vulnerable
9:29:34 AM - serg: a couple of CVEs were 5.6 only and don't apply to MariaDB at all
Comment 4 Brian Evans Gentoo Infrastructure gentoo-dev 2015-02-08 23:50:16 UTC
Arches,  please test and mark stable.

Target keywords:

dev-db/mariadb-10.0.16 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

@alpha and ia64: please make sure to complete bug 525296 at the same time for dev-db/mysql and virtual/mysql for best user experience. (Same vulnerabilities)
Comment 5 Agostino Sarubbo gentoo-dev 2015-02-10 09:58:33 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-10 09:59:07 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-11 16:33:02 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-16 10:22:51 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-16 10:27:29 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-16 10:28:08 UTC
alpha stable
Comment 11 Markus Meier gentoo-dev 2015-02-17 21:08:06 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-18 08:52:05 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-02-18 09:17:48 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Brian Evans Gentoo Infrastructure gentoo-dev 2015-02-18 13:56:22 UTC
Vulnerable versions have been removed.

Security, please continue.
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-19 09:47:09 UTC
Added to existing GLSA request for bug 537216 (the mysql counterpart to this bug)
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 20:43:21 UTC
This issue was resolved and addressed in
 GLSA 201504-05 at https://security.gentoo.org/glsa/201504-05
by GLSA coordinator Yury German (BlueKnight).