Comment 1 Brian Evans (RETIRED) 2015-07-21 13:58:27 UTC

$URL lists these CVEs (resorted for readability):
CVE-2015-4772
CVE-2015-4771
CVE-2015-4769
CVE-2015-4767
CVE-2015-4761
CVE-2015-4757
CVE-2015-4756
CVE-2015-4752
CVE-2015-4737
CVE-2015-2661
CVE-2015-2648
CVE-2015-2643
CVE-2015-2641
CVE-2015-2639
CVE-2015-2620
CVE-2015-2617
CVE-2015-2611
CVE-2015-2582


https://mariadb.com/kb/en/mariadb/security/#cves-affecting-oracle-mysql says the follow CVEs cannot be determined since Oracle does not disclose information and listed as 5.6 only.

CVE-2015-4772
CVE-2015-4771
CVE-2015-4769
CVE-2015-4767
CVE-2015-4761
CVE-2015-4756
CVE-2015-2661
CVE-2015-2641
CVE-2015-2639
CVE-2015-2617
CVE-2015-2611
CVE-2015-2567
CVE-2015-2566

So that leaves these as yet to be determined:
CVE-2015-4757
CVE-2015-4752
CVE-2015-4737
CVE-2015-2648
CVE-2015-2643
CVE-2015-2620
CVE-2015-2582

Comment 2 Brian Evans (RETIRED) 2015-08-13 20:36:39 UTC

Summary of maria-discuss post[1]:
>Thanks. I've updated the security page[2] now.
>I think that CVE-2015-4757 is fixed in 5.5.43 (and 10.0.18), and
>  CVE-2015-4752
>  CVE-2015-2648
>  CVE-2015-2643 
>  CVE-2015-2582
>are fixed in 5.5.44 (and 10.0.20).

Though the CVEs only go up to <10.0.20  I am targeting 10.0.21 for connection issues related, but not vulnerable, to LogJam.

Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mariadb-10.0.21 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

# Official test instructions:
# USE='embedded extraengine perl ssl static-libs community' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.21.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"

[1] https://lists.launchpad.net/maria-discuss/msg02868.html
[2] https://mariadb.com/kb/en/mariadb/security/

Comment 3 Tobias Klausmann (RETIRED) 2015-08-15 20:04:04 UTC

Stable on alpha.

Comment 4 Jeroen Roovers (RETIRED) 2015-08-16 11:08:01 UTC

Stable for PPC64.

Comment 5 Mikle Kolyada (RETIRED) 2015-08-16 14:16:27 UTC

amd64 stable

Comment 6 Jeroen Roovers (RETIRED) 2015-08-17 04:12:32 UTC

Stable for HPPA.

Comment 7 Brian Evans (RETIRED) 2015-08-19 13:35:56 UTC

*** Bug 548134 has been marked as a duplicate of this bug. ***

Comment 8 Markus Meier 2015-08-21 16:47:01 UTC

arm stable

Comment 9 Agostino Sarubbo 2015-08-26 07:29:05 UTC

ppc stable

Comment 10 Mikle Kolyada (RETIRED) 2015-08-30 13:59:31 UTC

x86 stable

Comment 11 Agostino Sarubbo 2015-09-06 08:32:55 UTC

sparc stable

Comment 12 Brian Evans (RETIRED) 2015-09-17 15:07:31 UTC

@ia64: ping

month old security bug needs some love

Comment 13 Agostino Sarubbo 2015-09-24 08:10:13 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 14 Brian Evans (RETIRED) 2015-09-24 12:41:40 UTC

Cleanup complete

Comment 15 Yury German 2015-12-31 04:02:21 UTC

Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.

Comment 16 GLSAMaker/CVETool Bot 2016-10-11 13:45:17 UTC

This issue was resolved and addressed in
 GLSA 201610-06 at https://security.gentoo.org/glsa/201610-06
by GLSA coordinator Aaron Bauman (b-man).