Ubuntu
mariadb-10.3 package

April 2019 Oracle CPU might also affect MariaDB

Bug #1825572 reported by Seth Arnold on 2019-04-19

258

This bug affects 1 person

	Status	Importance	Assigned to
mariadb-10.0 (Ubuntu)	Won't Fix	Medium	Otto Kekäläinen
mariadb-10.1 (Ubuntu)	Fix Released	Medium	Otto Kekäläinen
mariadb-10.3 (Ubuntu)	Fix Released	Medium	Otto Kekäläinen
mariadb-5.5 (Ubuntu)	Fix Released	Medium	Otto Kekäläinen

Bug Description

Presumably some of the issues raised on Oracle's April 2019 CPU apply to MariaDB:

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL

Thanks

CVE References

Seth Arnold (seth-arnold) on 2019-04-19

Changed in mariadb-10.3 (Ubuntu):
assignee:	nobody → Otto Kekäläinen (otto)

Revision history for this message

Otto Kekäläinen (otto) wrote on 2019-04-19:

I'll keep you posted once Oracle published some info on what CVE maps to what actual issue and the page https://mariadb.com/kb/en/library/security/ updates.

Otto Kekäläinen (otto) on 2019-04-29

Changed in mariadb-5.5 (Ubuntu):
assignee:	nobody → Otto Kekäläinen (otto)
Changed in mariadb-10.1 (Ubuntu):
assignee:	nobody → Otto Kekäläinen (otto)
Changed in mariadb-10.0 (Ubuntu):
assignee:	nobody → Otto Kekäläinen (otto)

Revision history for this message

Otto Kekäläinen (otto) wrote on 2019-04-29:

MariaDB 5.5.64 was released today and the 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at https://salsa.debian.org/mariadb-team/mariadb-5.5/tree/ubuntu-14.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note these: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Otto Kekäläinen (otto) on 2019-04-30

summary:

- april 2019 cpu
+ April 2019 Oracle CPU might also affect MariaDB

Revision history for this message

Otto Kekäläinen (otto) wrote on 2019-05-03:

MariaDB 10.1.39 was released yesterday and the 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.08 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-14.08

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changed in mariadb-10.1 (Ubuntu):
status:	New → Fix Committed
Changed in mariadb-5.5 (Ubuntu):
status:	New → Fix Committed

Revision history for this message

Otto Kekäläinen (otto) wrote on 2019-05-14:

Ping anybody?

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2019-05-15:

I will be handling it for the security team, thanks Otto.

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2019-05-15:

Hi Otto,

You based your update on version 1:10.1.38-0ubuntu0.18.04.1.

We currently have in the archive version 1:10.1.38-0ubuntu0.18.04.2.

Could you please rebase your changes with what is in the archive?

Thanks in advance!

Revision history for this message

Otto Kekäläinen (otto) wrote on 2019-05-16:

Sorry, I was using only 'dgit -d ubuntu clone mariadb-10.1 bionic,-security' to fetch repo contents, apparently need to use 'dgit -d ubuntu clone mariadb-10.1 bionic,-security,-updates' in the future. This is the first time anybody has ever done a non-securiy upload of MariaDB to a stable Ubuntu release.

Interesting commit by Dan Streetman <email address hidden> in that .2. I am surprised he didn't notify the maintainer or maintainer mailing list about this in any way, nor did a merge request on salsa.debian.org to get this incorporated into git where this package is maintained. Looks like he attempted to do a clean up that I already cleaned up last year, originally introduced by Ondrej Sury's upload in the year before which he never saved in the git repository (https://bugs.launchpad.net/ubuntu/+source/mariadb-10.1/+bug/1757107/comments/11). I am not sure if I want to get tangled in a fixup again because somebody did direct uploads without working via version control and pre-upload quality testing.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2019-05-16:

OK, marking mariadb-10.1 as incomplete for now. Let us know once you have an update to sponsor. Thanks.

Changed in mariadb-10.1 (Ubuntu):
status:	Fix Committed → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-05-23:

This bug was fixed in the package mariadb-5.5 - 5.5.64-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.64-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.64. Includes fixes for
    the following security vulnerabilities (LP: #1825572):
    - CVE-2019-2627
    - CVE-2019-2614

-- Otto Kekäläinen <email address hidden> Mon, 29 Apr 2019 22:18:13 +0300

Changed in mariadb-5.5 (Ubuntu):
status:	Fix Committed → Fix Released

Mathew Hodson (mhodson) on 2019-05-25

Changed in mariadb-10.0 (Ubuntu):
importance:	Undecided → Medium
Changed in mariadb-10.1 (Ubuntu):
importance:	Undecided → Medium
Changed in mariadb-10.3 (Ubuntu):
importance:	Undecided → Medium
Changed in mariadb-5.5 (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Otto Kekäläinen (otto) wrote on 2019-06-01:

#10

As documented on https://mariadb.org/about/maintenance-policy/ the 10.0 series is no longer maintained and will not get fixes without special arrangements. For the scope of this bug tracker I am marking it "Won't fix".

Changed in mariadb-10.0 (Ubuntu):
status:	New → Won't Fix

Revision history for this message

Otto Kekäläinen (otto) wrote on 2019-06-01:

#11

The 10.1 series update for 18.04 is now available.
Since the .39 upstream discovered regressions and thus there is now a .40 release which is the best release to ship these security fixes.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changed in mariadb-10.1 (Ubuntu):
status:	Incomplete → In Progress

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2019-06-05:

#12

Thanks Otto for providing the update for 18.04.
We just released it and it should be available in the archive in some minutes.
We appreciate all the work you've done.

Changed in mariadb-10.1 (Ubuntu):
status:	In Progress → Fix Released

Otto Kekäläinen (otto) on 2019-06-07

Changed in mariadb-10.3 (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntumariadb-10.3 package

April 2019 Oracle CPU might also affect MariaDB

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
mariadb-10.3 package