Security update for mariadb SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:3025-1 Final 1 1 2016-12-06T11:45:42Z current 2016-12-06T11:45:42Z 2016-12-06T11:45:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mariadb This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes: - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes: - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql@default.service (bsc#1004477) - Replace all occurrences of the string '@sysconfdir@' with '/etc' as it wasn't expanded properly (bsc#990890) - Notable changes: * XtraDB updated to 5.6.33-79.0 * TokuDB updated to 5.6.33-79.0 * Innodb updated to 5.6.33 * Performance Schema updated to 5.6.33 - Release notes and upstream changelog: * https://kb.askmonty.org/en/mariadb-10028-release-notes * https://kb.askmonty.org/en/mariadb-10028-changelog This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html E-Mail link for openSUSE-SU-2016:3025-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libmysqlclient-devel-10.0.28-15.1 libmysqlclient18-10.0.28-15.1 libmysqlclient18-32bit-10.0.28-15.1 libmysqlclient_r18-10.0.28-15.1 libmysqlclient_r18-32bit-10.0.28-15.1 libmysqld-devel-10.0.28-15.1 libmysqld18-10.0.28-15.1 mariadb-10.0.28-15.1 mariadb-bench-10.0.28-15.1 mariadb-client-10.0.28-15.1 mariadb-errormessages-10.0.28-15.1 mariadb-test-10.0.28-15.1 mariadb-tools-10.0.28-15.1 libmysqlclient-devel-10.0.28-15.1 as a component of openSUSE Leap 42.2 libmysqlclient18-10.0.28-15.1 as a component of openSUSE Leap 42.2 libmysqlclient18-32bit-10.0.28-15.1 as a component of openSUSE Leap 42.2 libmysqlclient_r18-10.0.28-15.1 as a component of openSUSE Leap 42.2 libmysqlclient_r18-32bit-10.0.28-15.1 as a component of openSUSE Leap 42.2 libmysqld-devel-10.0.28-15.1 as a component of openSUSE Leap 42.2 libmysqld18-10.0.28-15.1 as a component of openSUSE Leap 42.2 mariadb-10.0.28-15.1 as a component of openSUSE Leap 42.2 mariadb-bench-10.0.28-15.1 as a component of openSUSE Leap 42.2 mariadb-client-10.0.28-15.1 as a component of openSUSE Leap 42.2 mariadb-errormessages-10.0.28-15.1 as a component of openSUSE Leap 42.2 mariadb-test-10.0.28-15.1 as a component of openSUSE Leap 42.2 mariadb-tools-10.0.28-15.1 as a component of openSUSE Leap 42.2 Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. CVE-2016-3492 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-3492.html CVE-2016-3492 https://bugzilla.suse.com/1005555 SUSE Bug 1005555 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier, 5.6.33 and earlier, and 5.7.15 and earlier allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption. CVE-2016-5584 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 4.9 AV:N/AC:H/Au:S/C:C/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-5584.html CVE-2016-5584 https://bugzilla.suse.com/1005558 SUSE Bug 1005558 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-6663. Reason: This candidate is a reservation duplicate of CVE-2016-6663. Notes: All CVE users should reference CVE-2016-6663 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2016-5616 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 6 AV:L/AC:H/Au:S/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-5616.html CVE-2016-5616 https://bugzilla.suse.com/1001367 SUSE Bug 1001367 https://bugzilla.suse.com/1005555 SUSE Bug 1005555 https://bugzilla.suse.com/1005557 SUSE Bug 1005557 https://bugzilla.suse.com/1005561 SUSE Bug 1005561 https://bugzilla.suse.com/1005562 SUSE Bug 1005562 https://bugzilla.suse.com/1005563 SUSE Bug 1005563 https://bugzilla.suse.com/1005564 SUSE Bug 1005564 https://bugzilla.suse.com/1005566 SUSE Bug 1005566 https://bugzilla.suse.com/1005569 SUSE Bug 1005569 https://bugzilla.suse.com/1005570 SUSE Bug 1005570 https://bugzilla.suse.com/1005582 SUSE Bug 1005582 https://bugzilla.suse.com/1008253 SUSE Bug 1008253 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 https://bugzilla.suse.com/1020875 SUSE Bug 1020875 https://bugzilla.suse.com/1020876 SUSE Bug 1020876 https://bugzilla.suse.com/1020877 SUSE Bug 1020877 https://bugzilla.suse.com/1020878 SUSE Bug 1020878 https://bugzilla.suse.com/1020882 SUSE Bug 1020882 https://bugzilla.suse.com/1020883 SUSE Bug 1020883 https://bugzilla.suse.com/1020884 SUSE Bug 1020884 https://bugzilla.suse.com/1020885 SUSE Bug 1020885 https://bugzilla.suse.com/1020888 SUSE Bug 1020888 https://bugzilla.suse.com/1020890 SUSE Bug 1020890 https://bugzilla.suse.com/1020891 SUSE Bug 1020891 https://bugzilla.suse.com/1020893 SUSE Bug 1020893 https://bugzilla.suse.com/1020894 SUSE Bug 1020894 https://bugzilla.suse.com/1020896 SUSE Bug 1020896 https://bugzilla.suse.com/1020898 SUSE Bug 1020898 https://bugzilla.suse.com/1020901 SUSE Bug 1020901 https://bugzilla.suse.com/1022428 SUSE Bug 1022428 https://bugzilla.suse.com/1029014 SUSE Bug 1029014 https://bugzilla.suse.com/1029396 SUSE Bug 1029396 https://bugzilla.suse.com/1049393 SUSE Bug 1049393 https://bugzilla.suse.com/1049394 SUSE Bug 1049394 https://bugzilla.suse.com/1049396 SUSE Bug 1049396 https://bugzilla.suse.com/1049399 SUSE Bug 1049399 https://bugzilla.suse.com/1049400 SUSE Bug 1049400 https://bugzilla.suse.com/1049401 SUSE Bug 1049401 https://bugzilla.suse.com/1049402 SUSE Bug 1049402 https://bugzilla.suse.com/1049403 SUSE Bug 1049403 https://bugzilla.suse.com/1049404 SUSE Bug 1049404 https://bugzilla.suse.com/1049405 SUSE Bug 1049405 https://bugzilla.suse.com/1049406 SUSE Bug 1049406 https://bugzilla.suse.com/1049407 SUSE Bug 1049407 https://bugzilla.suse.com/1049408 SUSE Bug 1049408 https://bugzilla.suse.com/1049409 SUSE Bug 1049409 https://bugzilla.suse.com/1049410 SUSE Bug 1049410 https://bugzilla.suse.com/1049411 SUSE Bug 1049411 https://bugzilla.suse.com/1049412 SUSE Bug 1049412 https://bugzilla.suse.com/1049414 SUSE Bug 1049414 https://bugzilla.suse.com/1049415 SUSE Bug 1049415 https://bugzilla.suse.com/1049416 SUSE Bug 1049416 https://bugzilla.suse.com/1049417 SUSE Bug 1049417 https://bugzilla.suse.com/1064101 SUSE Bug 1064101 https://bugzilla.suse.com/1064107 SUSE Bug 1064107 https://bugzilla.suse.com/1064115 SUSE Bug 1064115 https://bugzilla.suse.com/1064116 SUSE Bug 1064116 https://bugzilla.suse.com/1064117 SUSE Bug 1064117 https://bugzilla.suse.com/998309 SUSE Bug 998309 Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows remote authenticated users to affect availability via vectors related to DML. CVE-2016-5624 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-5624.html CVE-2016-5624 https://bugzilla.suse.com/1005564 SUSE Bug 1005564 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS. CVE-2016-5626 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-5626.html CVE-2016-5626 https://bugzilla.suse.com/1005566 SUSE Bug 1005566 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote administrators to affect availability via vectors related to Server: Federated. CVE-2016-5629 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-5629.html CVE-2016-5629 https://bugzilla.suse.com/1005569 SUSE Bug 1005569 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table. CVE-2016-6663 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 important 3.5 AV:L/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-6663.html CVE-2016-6663 https://bugzilla.suse.com/1001367 SUSE Bug 1001367 https://bugzilla.suse.com/1008253 SUSE Bug 1008253 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 https://bugzilla.suse.com/1021755 SUSE Bug 1021755 https://bugzilla.suse.com/998309 SUSE Bug 998309 The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover AES keys by leveraging cache-bank timing differences. CVE-2016-7440 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 4 AV:L/AC:H/Au:N/C:C/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-7440.html CVE-2016-7440 https://bugzilla.suse.com/1005581 SUSE Bug 1005581 https://bugzilla.suse.com/1008318 SUSE Bug 1008318 Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. CVE-2016-8283 openSUSE Leap 42.2:libmysqlclient-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-10.0.28-15.1 openSUSE Leap 42.2:libmysqlclient_r18-32bit-10.0.28-15.1 openSUSE Leap 42.2:libmysqld-devel-10.0.28-15.1 openSUSE Leap 42.2:libmysqld18-10.0.28-15.1 openSUSE Leap 42.2:mariadb-10.0.28-15.1 openSUSE Leap 42.2:mariadb-bench-10.0.28-15.1 openSUSE Leap 42.2:mariadb-client-10.0.28-15.1 openSUSE Leap 42.2:mariadb-errormessages-10.0.28-15.1 openSUSE Leap 42.2:mariadb-test-10.0.28-15.1 openSUSE Leap 42.2:mariadb-tools-10.0.28-15.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00014.html https://www.suse.com/security/cve/CVE-2016-8283.html CVE-2016-8283 https://bugzilla.suse.com/1005582 SUSE Bug 1005582 https://bugzilla.suse.com/1008318 SUSE Bug 1008318