Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589346 (CVE-2016-3477, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440) - <dev-db/mariadb-{5.5.50,10.0.26,10.1.15}: multiple vulnerabilities
Summary: <dev-db/mariadb-{5.5.50,10.0.26,10.1.15}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-3477, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mariadb.com/kb/en/mariadb/sec...
Whiteboard: A2 [glsa cve blocked]
Keywords:
Depends on: 593608
Blocks:
  Show dependency tree
 
Reported: 2016-07-21 17:51 UTC by Brian Evans (RETIRED)
Modified: 2016-10-11 13:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans (RETIRED) gentoo-dev 2016-07-21 17:51:20 UTC 
Since MariaDB is a fork of MySQL 5.5, they relased a security update of dev-db/mariadb described at $URL related to http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL

Full List of CVEs fixed in MariaDB

    CVE-2016-5440: MariaDB 5.5.50, MariaDB 10.1.15, MariaDB 10.0.26
    CVE-2016-3615: MariaDB 5.5.50, MariaDB 10.1.15, MariaDB 10.0.26
    CVE-2016-3521: MariaDB 5.5.50, MariaDB 10.1.15, MariaDB 10.0.26
    CVE-2016-3477: MariaDB 5.5.50, MariaDB 10.1.15, MariaDB 10.0.26
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-07-23 02:31:08 UTC 
Added to existing GLSA.
Comment 2 Brian Evans (RETIRED) gentoo-dev 2016-07-25 16:18:39 UTC 
Shouldn't we call 10.0.26 to stable for this bug? 10.0.25 is the current stable.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-26 11:18:14 UTC 
(In reply to Brian Evans from comment #2)
> Shouldn't we call 10.0.26 to stable for this bug? 10.0.25 is the current
> stable.

Yes, as it is shown in the bug title that is what we would call for.  Are you ready to call for it?
Comment 4 Brian Evans (RETIRED) gentoo-dev 2016-07-26 13:04:01 UTC 
(In reply to Aaron Bauman from comment #3)
> (In reply to Brian Evans from comment #2)
> > Shouldn't we call 10.0.26 to stable for this bug? 10.0.25 is the current
> > stable.
> 
> Yes, as it is shown in the bug title that is what we would call for.  Are
> you ready to call for it?

Yes, I'm ready.. I was just confused by the actions in Comment 1 which usually happens later.

-----

Arches, please test and mark stable.
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords:
=dev-db/mariadb-10.0.26 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

# Official test instructions:
# USE='embedded extraengine perl server openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-X.X.XX.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-28 08:45:11 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-28 14:10:23 UTC 
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-28 18:57:08 UTC 
Stable for PPC64.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-30 07:54:25 UTC 
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2016-08-10 19:34:51 UTC 
arm stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-03 08:18:57 UTC 
Stable on alpha.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 13:46:17 UTC 
This issue was resolved and addressed in
 GLSA 201610-06 at https://security.gentoo.org/glsa/201610-06
by GLSA coordinator Aaron Bauman (b-man).