+++ This bug was initially created as a clone of Bug #572870 +++ http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html#MSQL
From $URL: Full List of CVEs fixed in MariaDB CVE-2016-2047: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0616: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0610: MariaDB 10.1.9, MariaDB 10.0.22 CVE-2016-0609: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0608: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0606: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0600: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0598: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0597: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0596: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0546: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0505: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 CVE-2016-0502: MariaDB 5.5.32, MariaDB 10.0.4 CVE-2015-7744: MariaDB 5.5.46, MariaDB 10.1.9, MariaDB 10.0.22
(In reply to Brian Evans from comment #1) > From $URL: > Full List of CVEs fixed in MariaDB > > CVE-2016-2047: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0616: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0610: MariaDB 10.1.9, MariaDB 10.0.22 > CVE-2016-0609: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0608: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0606: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0600: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0598: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0597: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0596: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0546: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0505: MariaDB 5.5.47, MariaDB 10.1.10, MariaDB 10.0.23 > CVE-2016-0502: MariaDB 5.5.32, MariaDB 10.0.4 > CVE-2015-7744: MariaDB 5.5.46, MariaDB 10.1.9, MariaDB 10.0.22 I really guess that the vulnerabilities fixed in those releases have nothing to do with the oracle cpu jan 2016.
Only one is not listed in the oracle report, CVE-2016-2047. MariaDB keeps a separate list because they pull from the MySQL 5.5 branch only and merge in their own changes from there. I would love to go stable if you have no more objections.
Arches, please test and mark stable. The test suite should pass following the official instructions. Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances) Target keywords: =dev-db/mariadb-10.0.23 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 # Official test instructions: # USE='embedded extraengine perl server openssl static-libs' \ # FEATURES='test userpriv -usersandbox' \ # ebuild mariadb-X.X.XX.ebuild \ # digest clean package # Parallel testing is enabled, auto will try to detect number of cores # You may set this by hand. # The default maximum is 8 unless MTR_MAX_PARALLEL is increased export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
amd64 stable
Stable on alpha.
Stable for HPPA PPC64.
arm stable
x86 stable
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup.
Cleanup complete
CVE-2016-2047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2047): The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10, Oracle MySQL, and Percona Server do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "/CN=" string in a field in a certificate, as demonstrated by "/OU=/CN=bar.com/CN=foo.com." CVE-2016-0616 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0616): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2016-0611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0611): Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2016-0610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0610): Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2016-0609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0609): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges. CVE-2016-0608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0608): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF. CVE-2016-0606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0606): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption. CVE-2016-0600 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0600): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2016-0598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0598): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. CVE-2016-0597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0597): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2016-0596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0596): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. CVE-2016-0505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0505): Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options. CVE-2016-0502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0502): Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. CVE-2015-7744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7744): wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack.
GLSA Vote: No.