Bug 49362

Summary: mariadb-10.1: Multiple issues (4.3)
Product: UCS Reporter: Quality Assurance <qa>
Component: Security updatesAssignee: Quality Assurance <qa>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3    
Version: UCS 4.3   
Target Milestone: UCS 4.3-4-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Description Quality Assurance univentionstaff 2019-04-29 07:57:35 CEST 
New Debian mariadb-10.1 10.1.38-0+deb9u1 fixes:
This update addresses the following issues:
* Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:  Server: Optimizer). Supported versions that are affected are 5.6.42 and  prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable  vulnerability allows low privileged attacker with network access via  multiple protocols to compromise MySQL Server. Successful attacks of this  vulnerability can result in unauthorized ability to cause a hang or  frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base  Score 6.5 (Availability impacts). CVSS Vector:  (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2529)
* Server: DDL unspecified vulnerability (CPU Jan 2019) (CVE-2019-2537)
Comment 1 Quality Assurance univentionstaff 2019-04-29 09:00:52 CEST 
--- mirror/ftp/4.3/unmaintained/4.3-3/source/mariadb-10.1_10.1.37-0+deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-4/source/mariadb-10.1_10.1.38-0+deb9u1.dsc
@@ -1,7 +1,26 @@
+10.1.38-0+deb9u1 [Tue, 16 Apr 2019 14:56:50 +0300] Otto Kekäläinen <otto@debian.org>:
+
+  * SECURITY UPDATE: New upstream release 10.1.38. Includes fixes for
+    the following security vulnerabilities (Closes: #920933):
+    - CVE-2019-2537
+    - CVE-2019-2529
+  * Update correct branch name in gbp.conf
+  * Disable test unit.pcre_test on s390x that was failing in stretch-security
+    (Closes: #920854)
+  * Limit build test suite to 'main' like in mariadb-10.3 to make unnecessary
+    build failures less likely in lifetime of Stretch.
+  * Fix mips compilation failure (__bss_start symbol missing) (Closes: #920855)
+  * Extend the server README to clarify common misunderstandings
+    (Closes: #878215)
+  * Enable ccache in CMake path so it can be used automatically where available
+  * Heavily refactor and unify gitlab-ci.yml MariaDB install/upgrade steps.
+    This ensures uploads to Stretch are much more safer to do now than in the
+    past.
+
 10.1.37-0+deb9u1 [Wed, 08 Aug 2018 19:32:41 +0300] Otto Kekäläinen <otto@debian.org>:
 
   * SECURITY UPDATE: New upstream release 10.1.37. Includes fixes for
-    the following security vulnerabilities (Closes: #912848);
+    the following security vulnerabilities (Closes: #912848):
     - CVE-2018-3282
     - CVE-2018-3251
     - CVE-2018-3174
@@ -14,6 +33,9 @@
   * Physically remove patches no longer in series and not applied anyway
   * Fix wrong-path-for-interpreter in innotop script to make package
     Lintian error free as pass CI systems fully
+  * Previous upstream version 10.1.36 included fixes for the following
+    security vulnerabilities:
+    - CVE-2019-2503
   * Previous upstream version 10.1.35 included fixes for the following
     security vulnerabilities:
     - CVE-2018-3066

<http://10.200.17.11/4.3-4/#8276844549449548383>
Comment 2 Philipp Hahn univentionstaff 2019-04-29 14:40:20 CEST 
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
 Plugins do not properly cleanup themselves from DB on uninstall

[4.3-4] 5d52f753c8 Bug #49362: mariadb-10.1 10.1.38-0+deb9u1
 doc/errata/staging/mariadb-10.1.yaml | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

[4.3-4] 4bd66ebe26 Bug #49362: mariadb-10.1 10.1.38-0+deb9u1
 doc/errata/staging/mariadb-10.1.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
Comment 3 Arvid Requate univentionstaff 2019-05-02 12:34:59 CEST 
<http://errata.software-univention.de/ucs/4.3/489.html>