Security update for mariadb SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0289-1 Final 1 1 2020-03-02T23:15:05Z current 2020-03-02T23:15:05Z 2020-03-02T23:15:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mariadb This update for mariadb fixes the following issues: MariaDB was updated to version 10.2.31 GA (bsc#1162388). Security issues fixed: - CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388). - CVE-2019-18901: Fixed an unsafe path handling behavior in mysql-systemd-helper (bsc#1160895). - Enabled security hardenings in MariaDB's systemd service, namely ProtectSystem, ProtectHome and UMask (bsc#1160878). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-289 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2WWOUCCIRD2P3YRI5GU76EFPRT63XZMG/ E-Mail link for openSUSE-SU-2020:0289-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1160878 SUSE Bug 1160878 https://bugzilla.suse.com/1160883 SUSE Bug 1160883 https://bugzilla.suse.com/1160895 SUSE Bug 1160895 https://bugzilla.suse.com/1160912 SUSE Bug 1160912 https://bugzilla.suse.com/1162388 SUSE Bug 1162388 https://www.suse.com/security/cve/CVE-2019-18901/ SUSE CVE CVE-2019-18901 page https://www.suse.com/security/cve/CVE-2020-2574/ SUSE CVE CVE-2020-2574 page openSUSE Leap 15.1 libmysqld-devel-10.2.31-lp151.2.12.1 libmysqld19-10.2.31-lp151.2.12.1 mariadb-10.2.31-lp151.2.12.1 mariadb-bench-10.2.31-lp151.2.12.1 mariadb-client-10.2.31-lp151.2.12.1 mariadb-errormessages-10.2.31-lp151.2.12.1 mariadb-galera-10.2.31-lp151.2.12.1 mariadb-test-10.2.31-lp151.2.12.1 mariadb-tools-10.2.31-lp151.2.12.1 libmysqld-devel-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 libmysqld19-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 mariadb-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 mariadb-bench-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 mariadb-client-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 mariadb-errormessages-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 mariadb-galera-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 mariadb-test-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 mariadb-tools-10.2.31-lp151.2.12.1 as a component of openSUSE Leap 15.1 A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Linux Enterprise Server 12 mariadb versions prior to 10.2.31-3.25.1. SUSE Linux Enterprise Server 15 mariadb versions prior to 10.2.31-3.26.1. CVE-2019-18901 openSUSE Leap 15.1:libmysqld-devel-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:libmysqld19-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-bench-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-client-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-galera-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-test-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-tools-10.2.31-lp151.2.12.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2WWOUCCIRD2P3YRI5GU76EFPRT63XZMG/ https://www.suse.com/security/cve/CVE-2019-18901.html CVE-2019-18901 https://bugzilla.suse.com/1160285 SUSE Bug 1160285 https://bugzilla.suse.com/1160895 SUSE Bug 1160895 Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). CVE-2020-2574 openSUSE Leap 15.1:libmysqld-devel-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:libmysqld19-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-bench-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-client-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-galera-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-test-10.2.31-lp151.2.12.1 openSUSE Leap 15.1:mariadb-tools-10.2.31-lp151.2.12.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2WWOUCCIRD2P3YRI5GU76EFPRT63XZMG/ https://www.suse.com/security/cve/CVE-2020-2574.html CVE-2020-2574 https://bugzilla.suse.com/1161085 SUSE Bug 1161085 https://bugzilla.suse.com/1162388 SUSE Bug 1162388