Security update for mariadb SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2448-1 Final 1 1 2016-10-04T11:14:02Z current 2016-10-04T11:14:02Z 2016-10-04T11:14:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mariadb This update for mariadb to 10.0.27 fixes the following issues: Security issue fixed: * CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) * release notes: * https://kb.askmonty.org/en/mariadb-10027-release-notes * changelog: * https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed: - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00003.html E-Mail link for openSUSE-SU-2016:2448-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libmysqlclient-devel-10.0.27-12.1 libmysqlclient18-10.0.27-12.1 libmysqlclient18-32bit-10.0.27-12.1 libmysqlclient_r18-10.0.27-12.1 libmysqlclient_r18-32bit-10.0.27-12.1 libmysqld-devel-10.0.27-12.1 libmysqld18-10.0.27-12.1 mariadb-10.0.27-12.1 mariadb-bench-10.0.27-12.1 mariadb-client-10.0.27-12.1 mariadb-errormessages-10.0.27-12.1 mariadb-test-10.0.27-12.1 mariadb-tools-10.0.27-12.1 libmysqlclient-devel-10.0.27-12.1 as a component of openSUSE Leap 42.1 libmysqlclient18-10.0.27-12.1 as a component of openSUSE Leap 42.1 libmysqlclient18-32bit-10.0.27-12.1 as a component of openSUSE Leap 42.1 libmysqlclient_r18-10.0.27-12.1 as a component of openSUSE Leap 42.1 libmysqlclient_r18-32bit-10.0.27-12.1 as a component of openSUSE Leap 42.1 libmysqld-devel-10.0.27-12.1 as a component of openSUSE Leap 42.1 libmysqld18-10.0.27-12.1 as a component of openSUSE Leap 42.1 mariadb-10.0.27-12.1 as a component of openSUSE Leap 42.1 mariadb-bench-10.0.27-12.1 as a component of openSUSE Leap 42.1 mariadb-client-10.0.27-12.1 as a component of openSUSE Leap 42.1 mariadb-errormessages-10.0.27-12.1 as a component of openSUSE Leap 42.1 mariadb-test-10.0.27-12.1 as a component of openSUSE Leap 42.1 mariadb-tools-10.0.27-12.1 as a component of openSUSE Leap 42.1 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15. CVE-2016-6662 openSUSE Leap 42.1:libmysqlclient-devel-10.0.27-12.1 openSUSE Leap 42.1:libmysqlclient18-10.0.27-12.1 openSUSE Leap 42.1:libmysqlclient18-32bit-10.0.27-12.1 openSUSE Leap 42.1:libmysqlclient_r18-10.0.27-12.1 openSUSE Leap 42.1:libmysqlclient_r18-32bit-10.0.27-12.1 openSUSE Leap 42.1:libmysqld-devel-10.0.27-12.1 openSUSE Leap 42.1:libmysqld18-10.0.27-12.1 openSUSE Leap 42.1:mariadb-10.0.27-12.1 openSUSE Leap 42.1:mariadb-bench-10.0.27-12.1 openSUSE Leap 42.1:mariadb-client-10.0.27-12.1 openSUSE Leap 42.1:mariadb-errormessages-10.0.27-12.1 openSUSE Leap 42.1:mariadb-test-10.0.27-12.1 openSUSE Leap 42.1:mariadb-tools-10.0.27-12.1 important 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00003.html https://www.suse.com/security/cve/CVE-2016-6662.html CVE-2016-6662 https://bugzilla.suse.com/1001367 SUSE Bug 1001367 https://bugzilla.suse.com/1005580 SUSE Bug 1005580 https://bugzilla.suse.com/1020873 SUSE Bug 1020873 https://bugzilla.suse.com/1020884 SUSE Bug 1020884 https://bugzilla.suse.com/1021755 SUSE Bug 1021755 https://bugzilla.suse.com/998309 SUSE Bug 998309