Security update for mariadb SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2746-1 Final 1 1 2016-11-08T14:01:55Z current 2016-11-08T14:01:55Z 2016-11-08T14:01:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mariadb This update for mariadb to 10.0.27 fixes the following issues: * release notes: * https://kb.askmonty.org/en/mariadb-10027-release-notes * https://kb.askmonty.org/en/mariadb-10026-release-notes * changelog: * https://kb.askmonty.org/en/mariadb-10027-changelog * https://kb.askmonty.org/en/mariadb-10026-changelog * fixed CVE's 10.0.27: CVE-2016-5612, CVE-2016-5630, CVE-2016-6662 10.0.26: CVE-2016-5440, CVE-2016-3615, CVE-2016-3521, CVE-2016-3477 * fix: [boo#1005561], [boo#1005570], [boo#998309], [boo#989926], [boo#989922], [boo#989919], [boo#989913] - requires devel packages for aio and lzo2 - remove mariadb-10.0.21-mysql-test_main_bootstrap.patch that is no longer needed [boo#984858] - append "--ignore-db-dir=lost+found" to the mysqld options in "mysql-systemd-helper" script if "lost+found" directory is found in $datadir [boo#986251] - remove syslog.target from *.service files [boo#983938] - add systemd to deps to build on leap and friends - replace '%{_libexecdir}/systemd/system' with %{_unitdir} macro - remove useless mysql@default.service [boo#971456] - make ORDER BY optimization functions take into account multiple equalities [boo#949520] - adjust mysql-test results in order to take account of a new option (orderby_uses_equalities) added by the optimizer patch [boo#1003800] - replace all occurrences of the string "@sysconfdir@" with "/etc" in mysql-community-server-5.1.46-logrotate.patch as it wasn't expanded properly [boo#990890] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html E-Mail link for openSUSE-SU-2016:2746-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libmysqlclient-devel-10.0.27-2.27.1 libmysqlclient18-10.0.27-2.27.1 libmysqlclient18-32bit-10.0.27-2.27.1 libmysqlclient18-debuginfo-10.0.27-2.27.1 libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 libmysqlclient_r18-10.0.27-2.27.1 libmysqlclient_r18-32bit-10.0.27-2.27.1 libmysqld-devel-10.0.27-2.27.1 libmysqld18-10.0.27-2.27.1 libmysqld18-debuginfo-10.0.27-2.27.1 mariadb-10.0.27-2.27.1 mariadb-bench-10.0.27-2.27.1 mariadb-bench-debuginfo-10.0.27-2.27.1 mariadb-client-10.0.27-2.27.1 mariadb-client-debuginfo-10.0.27-2.27.1 mariadb-debuginfo-10.0.27-2.27.1 mariadb-debugsource-10.0.27-2.27.1 mariadb-errormessages-10.0.27-2.27.1 mariadb-test-10.0.27-2.27.1 mariadb-test-debuginfo-10.0.27-2.27.1 mariadb-tools-10.0.27-2.27.1 mariadb-tools-debuginfo-10.0.27-2.27.1 libmysqlclient-devel-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqlclient18-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqlclient18-32bit-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqlclient18-debuginfo-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqlclient_r18-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqlclient_r18-32bit-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqld-devel-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqld18-10.0.27-2.27.1 as a component of openSUSE 13.2 libmysqld18-debuginfo-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-bench-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-bench-debuginfo-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-client-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-client-debuginfo-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-debuginfo-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-debugsource-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-errormessages-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-test-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-test-debuginfo-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-tools-10.0.27-2.27.1 as a component of openSUSE 13.2 mariadb-tools-debuginfo-10.0.27-2.27.1 as a component of openSUSE 13.2 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. CVE-2016-3477 openSUSE 13.2:libmysqlclient-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqld-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debugsource-10.0.27-2.27.1 openSUSE 13.2:mariadb-errormessages-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-debuginfo-10.0.27-2.27.1 important 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html https://www.suse.com/security/cve/CVE-2016-3477.html CVE-2016-3477 https://bugzilla.suse.com/989913 SUSE Bug 989913 https://bugzilla.suse.com/991616 SUSE Bug 991616 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types. CVE-2016-3521 openSUSE 13.2:libmysqlclient-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqld-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debugsource-10.0.27-2.27.1 openSUSE 13.2:mariadb-errormessages-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-debuginfo-10.0.27-2.27.1 important 6.8 AV:N/AC:L/Au:S/C:N/I:N/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html https://www.suse.com/security/cve/CVE-2016-3521.html CVE-2016-3521 https://bugzilla.suse.com/989919 SUSE Bug 989919 https://bugzilla.suse.com/991616 SUSE Bug 991616 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML. CVE-2016-3615 openSUSE 13.2:libmysqlclient-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqld-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debugsource-10.0.27-2.27.1 openSUSE 13.2:mariadb-errormessages-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-debuginfo-10.0.27-2.27.1 important 4.9 AV:N/AC:H/Au:S/C:N/I:N/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html https://www.suse.com/security/cve/CVE-2016-3615.html CVE-2016-3615 https://bugzilla.suse.com/989922 SUSE Bug 989922 https://bugzilla.suse.com/991616 SUSE Bug 991616 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR. CVE-2016-5440 openSUSE 13.2:libmysqlclient-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqld-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debugsource-10.0.27-2.27.1 openSUSE 13.2:mariadb-errormessages-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-debuginfo-10.0.27-2.27.1 important 6.8 AV:N/AC:L/Au:S/C:N/I:N/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html https://www.suse.com/security/cve/CVE-2016-5440.html CVE-2016-5440 https://bugzilla.suse.com/989926 SUSE Bug 989926 https://bugzilla.suse.com/991616 SUSE Bug 991616 Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML. CVE-2016-5612 openSUSE 13.2:libmysqlclient-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqld-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debugsource-10.0.27-2.27.1 openSUSE 13.2:mariadb-errormessages-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-debuginfo-10.0.27-2.27.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html https://www.suse.com/security/cve/CVE-2016-5612.html CVE-2016-5612 https://bugzilla.suse.com/1005561 SUSE Bug 1005561 Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB. CVE-2016-5630 openSUSE 13.2:libmysqlclient-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqld-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debugsource-10.0.27-2.27.1 openSUSE 13.2:mariadb-errormessages-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-debuginfo-10.0.27-2.27.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html https://www.suse.com/security/cve/CVE-2016-5630.html CVE-2016-5630 https://bugzilla.suse.com/1005570 SUSE Bug 1005570 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15. CVE-2016-6662 openSUSE 13.2:libmysqlclient-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient18-debuginfo-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-10.0.27-2.27.1 openSUSE 13.2:libmysqlclient_r18-32bit-10.0.27-2.27.1 openSUSE 13.2:libmysqld-devel-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-10.0.27-2.27.1 openSUSE 13.2:libmysqld18-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-10.0.27-2.27.1 openSUSE 13.2:mariadb-bench-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-10.0.27-2.27.1 openSUSE 13.2:mariadb-client-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-debugsource-10.0.27-2.27.1 openSUSE 13.2:mariadb-errormessages-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-10.0.27-2.27.1 openSUSE 13.2:mariadb-test-debuginfo-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-10.0.27-2.27.1 openSUSE 13.2:mariadb-tools-debuginfo-10.0.27-2.27.1 important 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00018.html https://www.suse.com/security/cve/CVE-2016-6662.html CVE-2016-6662 https://bugzilla.suse.com/1001367 SUSE Bug 1001367 https://bugzilla.suse.com/1005580 SUSE Bug 1005580 https://bugzilla.suse.com/1020873 SUSE Bug 1020873 https://bugzilla.suse.com/1020884 SUSE Bug 1020884 https://bugzilla.suse.com/1021755 SUSE Bug 1021755 https://bugzilla.suse.com/998309 SUSE Bug 998309