Bug 958790 - VUL-0: mariadb: 10.0.21 security release
VUL-0: mariadb: 10.0.21 security release
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-11 15:33 UTC by Marcus Meissner
Modified: 2016-04-27 19:49 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-12-11 15:33:08 UTC
mariadb 10.0.21 was also released

https://mariadb.com/kb/en/mariadb/mariadb-10021-release-notes/

Notable changes

    XtraDB updated to XtraDB-5.6.25-73.1
    Innodb updated to InnoDB-5.6.26
    Performance Schema updated to 5.6.26
    Connect engine has now Gamma maturity (was: Beta)
    Diffie-Helman modulus increased to 2048 bits (MDEV-8352) 

    Fixes for the following security vulnerabilities:
        CVE-2015-4816
        CVE-2015-4819
        CVE-2015-4879
        CVE-2015-4895
Comment 1 Swamp Workflow Management 2015-12-11 23:00:53 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2015-12-12 11:41:19 UTC
CVE-2015-4816 	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : InnoDB). Supported versions that are affected are 5.5.44 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]

CVE-2015-4819 	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.44 and earlier and 5.6.25 and earlier. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.

Note: The CVSS score is 7.2 if the Utility runs with admin or root privileges. The score would be 4.6 if the Utility runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial+.

CVSS Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C). (legend) [Advisory]

CVE-2015-4879 	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : DML). Supported versions that are affected are 5.5.44 and earlier and 5.6.25 and earlier. Very difficult to exploit vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized takeover of MySQL Server possibly including arbitrary code execution within the MySQL Server.

CVSS Base Score 4.6 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:P). (legend) [Advisory]

CVE-2015-4895 	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : InnoDB). Supported versions that are affected are 5.6.25 and earlier. Difficult to exploit vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS Base Score 3.5 (Availability impacts). CVSS V2 Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:P). (legend) [Advisory]
Comment 3 SMASH SMASH 2015-12-12 12:14:32 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 18, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121114/.
Comment 5 Kristyna Streitova 2015-12-16 15:58:37 UTC
Submitted for SLE12 (https://build.suse.de/request/show/85854). The rest of the products was already updated to 10.0.21.

Reassigning to security team.
Comment 6 Andreas Stieger 2016-01-14 16:48:49 UTC
Releasing SLE 12 GA update
Comment 7 Swamp Workflow Management 2016-01-14 20:12:29 UTC
SUSE-SU-2016:0121-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 934401,937258,937343,937787,958789,958790
CVE References: CVE-2015-4792,CVE-2015-4802,CVE-2015-4807,CVE-2015-4815,CVE-2015-4816,CVE-2015-4819,CVE-2015-4826,CVE-2015-4830,CVE-2015-4836,CVE-2015-4858,CVE-2015-4861,CVE-2015-4870,CVE-2015-4879,CVE-2015-4895,CVE-2015-4913
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    mariadb-10.0.22-20.3.1
SUSE Linux Enterprise Software Development Kit 12 (src):    mariadb-10.0.22-20.3.1
SUSE Linux Enterprise Server 12 (src):    mariadb-10.0.22-20.3.1
SUSE Linux Enterprise Desktop 12 (src):    mariadb-10.0.22-20.3.1