Bug 48201 - mariadb-10.1: Multiple issues (4.3)
mariadb-10.1: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-26 10:21 CET by Quality Assurance
Modified: 2018-11-28 12:10 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.7 (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-11-26 10:21:00 CET
New Debian mariadb-10.1 10.1.37-0+deb9u1 fixes:
This update addresses the following issues:
* Server: Replication unspecified vulnerability (CPU Oct 2017)  (CVE-2017-10268)
* Server: Optimizer unspecified vulnerability (CPU Oct 2017) (CVE-2017-10378)
* Replication in sql/event_data_objects.cc occurs before ACL checks  (CVE-2017-15365)
* Server : Partition unspecified vulnerability (CPU Jan 2018) (CVE-2018-2562)
* InnoDB unspecified vulnerability (CPU Jan 2018) (CVE-2018-2612)
* Server: DDL unspecified vulnerability (CPU Jan 2018) (CVE-2018-2622)
* Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2640)
* Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2665)
* Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2668)
* Server: Replication unspecified vulnerability (CPU Apr 2018)  (CVE-2018-2755)
* Client programs unspecified vulnerability (CPU Apr 2018) (CVE-2018-2761)
* InnoDB unspecified vulnerability (CPU Apr 2018) (CVE-2018-2766)
* use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM)  (CVE-2018-2767)
* Server: Locking unspecified vulnerability (CPU Apr 2018) (CVE-2018-2771)
* Server: Optimizer unspecified vulnerability (CPU Apr 2018) (CVE-2018-2781)
* InnoDB unspecified vulnerability (CPU Apr 2018) (CVE-2018-2782)
* InnoDB unspecified vulnerability (CPU Apr 2018) (CVE-2018-2784)
* InnoDB unspecified vulnerability (CPU Apr 2018) (CVE-2018-2787)
* Server: DDL unspecified vulnerability (CPU Apr 2018) (CVE-2018-2813)
* Server: DDL unspecified vulnerability (CPU Apr 2018) (CVE-2018-2817)
* InnoDB unspecified vulnerability (CPU Apr 2018) (CVE-2018-2819)
* MyISAM unspecified vulnerability (CPU Jul 2018) (CVE-2018-3058)
* Server: Security: Privileges unspecified vulnerability (CPU Jul 2018)  (CVE-2018-3063)
* InnoDB unspecified vulnerability (CPU Jul 2018) (CVE-2018-3064)
* Server: Options unspecified vulnerability (CPU Jul 2018) (CVE-2018-3066)
* Client programs unspecified vulnerability (CPU Jul 2018) (CVE-2018-3081)
* InnoDB unspecified vulnerability (CPU Oct 2018) (CVE-2018-3143)
* InnoDB unspecified vulnerability (CPU Oct 2018) (CVE-2018-3156)
* Client programs unspecified vulnerability (CPU Oct 2018) (CVE-2018-3174)
* InnoDB unspecified vulnerability (CPU Oct 2018) (CVE-2018-3251)
* Server: Storage Engines unspecified vulnerability (CPU Oct 2018)  (CVE-2018-3282)
Comment 1 Quality Assurance univentionstaff 2018-11-26 11:00:57 CET
--- mirror/ftp/4.3/unmaintained/4.3-0/source/mariadb-10.1_10.1.26-0+deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/mariadb-10.1_10.1.37-0+deb9u1.dsc
@@ -1,7 +1,87 @@
+10.1.37-0+deb9u1 [Wed, 08 Aug 2018 19:32:41 +0300] Otto Kekäläinen <otto@debian.org>:
+
+  * SECURITY UPDATE: New upstream release 10.1.37. Includes fixes for
+    the following security vulnerabilities (Closes: #912848);
+    - CVE-2018-3282
+    - CVE-2018-3251
+    - CVE-2018-3174
+    - CVE-2018-3156
+    - CVE-2018-3143
+    - CVE-2016-9843
+  * Add (and rename) new man pages
+  * Add Gitlab-CI definition file that can test each commit to this repository
+  * Fix d/control metadata to match status for Debian Stretch
+  * Physically remove patches no longer in series and not applied anyway
+  * Fix wrong-path-for-interpreter in innotop script to make package
+    Lintian error free as pass CI systems fully
+  * Previous upstream version 10.1.35 included fixes for the following
+    security vulnerabilities:
+    - CVE-2018-3066
+    - CVE-2018-3064
+    - CVE-2018-3063
+    - CVE-2018-3058
+  * Previous upstream version 10.1.33 included fixes for the following
+    security vulnerabilities:
+    - CVE-2018-2819
+    - CVE-2018-2817
+    - CVE-2018-2813
+    - CVE-2018-2787
+    - CVE-2018-2784
+    - CVE-2018-2782
+    - CVE-2018-2781
+    - CVE-2018-2771
+    - CVE-2018-2767
+    - CVE-2018-2766
+    - CVE-2018-2761
+    - CVE-2018-2755
+  * Previous upstream version 10.1.31 included fixes for the following
+    security vulnerabilities:
+    - CVE-2018-2668
+    - CVE-2018-2665
+    - CVE-2018-2640
+    - CVE-2018-2622
+    - CVE-2018-2612
+    - CVE-2018-2562
+  * Revert "Update d/gbp.conf to track stretch branches"
+  * New upstream version 10.1.30. Includes fixes for the following
+    security vulnerabilities (Closes: #885345):
+    - CVE-2017-15365
+  * Amend previous Debian changelog entries to contain new CVE identifiers
+  * Refresh patches for MariaDB 10.1.30 and again for .34
+  * Delete unnecessary systemd files introduced by upstream
+  * Add new files introduced by upstream to correct packages
+  * Use list-missing instead of fail in d/rules so builds pass
+
+  [ Ondřej Surý ]
+  * New upstream version 10.1.29. Includes fixes for the following
+    security vulnerabilities:
+    - CVE-2017-10378
+    - CVE-2017-10268
+    - MDEV-13819
+  * Add libconfig-inifiles-perl to mariadb-client-10.1 depends to fix
+    mytop
+  * Add mips64el to the list of platforms that are allowed to fail test
+    suite
+  * Handle new and/or missing files
+  * Ignore failed tests on more non-release platforms (kfreebsd-i386,
+    kfreebsd-amd64 and sparc64)
+  * Rebase patches for MariaDB 10.1.29
+
+  [ Christian Ehrhardt ]
+  * d/t/upstream: skip func_regexp_pcre on s390x
+
+  [ Vicentiu Ciorbaru ]
+  * Fix Mroonga compilation failure on arm64
+  * Extend libmariadbclient-rename.patch to cover TokuDB as well
+  * Disable disks.disks test
+
 10.1.26-0+deb9u1 [Thu, 10 Aug 2017 21:07:44 +0200] Ondřej Surý <ondrej@debian.org>:
 
   * New upstream version 10.1.26.  Includes fixes for the following
     security vulnerabilities:
+    - CVE-2017-10384
+    - CVE-2017-10379
+    - CVE-2017-10286
     - CVE-2017-3636
     - CVE-2017-3641
     - CVE-2017-3653

<http://10.200.17.11/4.3-2/#7468064906290917408>
Comment 2 Philipp Hahn univentionstaff 2018-11-26 13:31:35 CET
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
  This is due to MariaDB not being started correctly in the PIUpaRTs environment.

[4.3-2] 637ba7f954 Bug #48201: mariadb-10.1 10.1.37-0+deb9u1
 doc/errata/staging/mariadb-10.1.yaml | 62 +++++++++++++++++-------------------
 1 file changed, 29 insertions(+), 33 deletions(-)

[4.3-2] 670d073f04 Bug #48201: mariadb-10.1 10.1.37-0+deb9u1
 doc/errata/staging/mariadb-10.1.yaml | 78 ++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)