Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Mehrere Probleme in MariaDB
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in MariaDB
ID: SUSE-SU-2015:0743-1
Distribution: SUSE
Plattformen: SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Software Development Kit 12, SUSE Linux Enterprise Desktop 12, SUSE Linux Enterprise Workstation Extension 12
Datum: Di, 21. April 2015, 23:20
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4258
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6564
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0432

Originalnachricht

   SUSE Security Update: Security update for mariadb
______________________________________________________________________________

Announcement ID: SUSE-SU-2015:0743-1
Rating: important
References: #873351 #876282 #880891 #896400 #904627 #906117
#906194 #911442 #911556 #915911 #915912 #915913
#915914 #919229
Cross-References: CVE-2010-5298 CVE-2012-5615 CVE-2014-0195
CVE-2014-0198 CVE-2014-0221 CVE-2014-0224
CVE-2014-2494 CVE-2014-3470 CVE-2014-4207
CVE-2014-4258 CVE-2014-4260 CVE-2014-4274
CVE-2014-4287 CVE-2014-6463 CVE-2014-6464
CVE-2014-6469 CVE-2014-6474 CVE-2014-6478
CVE-2014-6484 CVE-2014-6489 CVE-2014-6491
CVE-2014-6494 CVE-2014-6495 CVE-2014-6496
CVE-2014-6500 CVE-2014-6505 CVE-2014-6507
CVE-2014-6520 CVE-2014-6530 CVE-2014-6551
CVE-2014-6555 CVE-2014-6559 CVE-2014-6564
CVE-2014-6568 CVE-2015-0374 CVE-2015-0381
CVE-2015-0382 CVE-2015-0391 CVE-2015-0411
CVE-2015-0432
Affected Products:
SUSE Linux Enterprise Workstation Extension 12
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

An update that fixes 40 vulnerabilities is now available.

Description:

mariadb was updated to version 10.0.16 to fix 40 security issues.

These security issues were fixed:
- CVE-2015-0411: Unspecified vulnerability in Oracle MySQL Server 5.5.40
and earlier, and 5.6.21 and earlier, allowed remote attackers to affect
confidentiality, integrity, and availability via unknown vectors related
to Server : Security : Encryption (bnc#915911).
- CVE-2015-0382: Unspecified vulnerability in Oracle MySQL Server 5.5.40
and earlier and 5.6.21 and earlier allowed remote attackers to affect
availability via unknown vectors related to Server : Replication, a
different vulnerability than CVE-2015-0381 (bnc#915911).
- CVE-2015-0381: Unspecified vulnerability in Oracle MySQL Server 5.5.40
and earlier and 5.6.21 and earlier allowed remote attackers to affect
availability via unknown vectors related to Server : Replication, a
different vulnerability than CVE-2015-0382 (bnc#915911).
- CVE-2015-0432: Unspecified vulnerability in Oracle MySQL Server 5.5.40
and earlier allowed remote authenticated users to affect availability
via vectors related to Server : InnoDB : DDL : Foreign Key (bnc#915911).
- CVE-2014-6568: Unspecified vulnerability in Oracle MySQL Server 5.5.40
and earlier, and 5.6.21 and earlier, allowed remote authenticated users
to affect availability via vectors related to Server : InnoDB : DML
(bnc#915911).
- CVE-2015-0374: Unspecified vulnerability in Oracle MySQL Server 5.5.40
and earlier and 5.6.21 and earlier allowed remote authenticated users to
affect confidentiality via unknown vectors related to Server : Security
: Privileges : Foreign Key (bnc#915911).
- CVE-2014-6507: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier, and 5.6.20 and earlier, allowed remote authenticated users
to affect confidentiality, integrity, and availability via vectors
related to SERVER:DML (bnc#915912).
- CVE-2014-6491: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier and 5.6.20 and earlier allowed remote attackers to affect
confidentiality, integrity, and availability via vectors related to
SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500
(bnc#915912).
- CVE-2014-6500: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier, and 5.6.20 and earlier, allowed remote attackers to affect
confidentiality, integrity, and availability via vectors related to
SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491
(bnc#915912).
- CVE-2014-6469: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and eariler and 5.6.20 and earlier allowed remote authenticated users to
affect availability via vectors related to SERVER:OPTIMIZER (bnc#915912).
- CVE-2014-6555: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier and 5.6.20 and earlier allowed remote authenticated users to
affect confidentiality, integrity, and availability via vectors related
to SERVER:DML (bnc#915912).
- CVE-2014-6559: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier, and 5.6.20 and earlier, allowed remote attackers to affect
confidentiality via vectors related to C API SSL CERTIFICATE HANDLING
(bnc#915912).
- CVE-2014-6494: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier, and 5.6.20 and earlier, allowed remote attackers to affect
availability via vectors related to CLIENT:SSL:yaSSL, a different
vulnerability than CVE-2014-6496 (bnc#915912).
- CVE-2014-6496: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier, and 5.6.20 and earlier, allowed remote attackers to affect
availability via vectors related to CLIENT:SSL:yaSSL, a different
vulnerability than CVE-2014-6494 (bnc#915912).
- CVE-2014-6464: Unspecified vulnerability in Oracle MySQL Server 5.5.39
and earlier and 5.6.20 and earlier allowed remote authenticated users to
affect availability via vectors related to SERVER:INNODB DML FOREIGN
KEYS (bnc#915912).
- CVE-2010-5298: Race condition in the ssl3_read_bytes function in
s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is
enabled, allowed remote attackers to inject data across sessions or
cause a denial of service (use-after-free and parsing error) via an SSL
connection in a multithreaded environment (bnc#873351).
- CVE-2014-0195: The dtls1_reassemble_fragment function in d1_both.c in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h did
not properly validate fragment lengths in DTLS ClientHello messages,
which allowed remote attackers to execute arbitrary code or cause a
denial of service (buffer overflow and application crash) via a long
non-initial fragment (bnc#880891).
- CVE-2014-0198: The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, did not
properly manage a buffer pointer during certain recursive calls, which
allowed remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via vectors that trigger an alert
condition (bnc#876282).
- CVE-2014-0221: The dtls1_get_message_fragment function in d1_both.c in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
allowed remote attackers to cause a denial of service (recursion and
client crash) via a DTLS hello message in an invalid DTLS handshake
(bnc#915913).
- CVE-2014-0224: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1
before 1.0.1h did not properly restrict processing of ChangeCipherSpec
messages, which allowed man-in-the-middle attackers to trigger use of a
zero-length master key in certain OpenSSL-to-OpenSSL communications, and
consequently hijack sessions or obtain sensitive information, via a
crafted TLS handshake, aka the "CCS Injection" vulnerability
(bnc#915913).
- CVE-2014-3470: The ssl3_send_client_key_exchange function in s3_clnt.c
in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h,
when an anonymous ECDH cipher suite is used, allowed remote attackers to
cause a denial of service (NULL pointer dereference and client crash) by
triggering a NULL certificate value (bnc#915913).
- CVE-2014-6474: Unspecified vulnerability in Oracle MySQL Server 5.6.19
and earlier allowed remote authenticated users to affect availability
via vectors related to SERVER:MEMCACHED (bnc#915913).
- CVE-2014-6489: Unspecified vulnerability in Oracle MySQL Server 5.6.19
and earlier allowed remote authenticated users to affect integrity and
availability via vectors related to SERVER:SP (bnc#915913).
- CVE-2014-6564: Unspecified vulnerability in Oracle MySQL Server 5.6.19
and earlier allowed remote authenticated users to affect availability
via vectors related to SERVER:INNODB FULLTEXT SEARCH DML (bnc#915913).
- CVE-2012-5615: Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and
MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions,
generates different error messages with different time delays depending
on whether a user name exists, which allowed remote attackers to
enumerate valid usernames (bnc#915913).
- CVE-2014-4274: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier and 5.6.19 and earlier allowed local users to affect
confidentiality, integrity, and availability via vectors related to
SERVER:MyISAM (bnc#896400).
- CVE-2014-4287: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier and 5.6.19 and earlier allowed remote authenticated users to
affect availability via vectors related to SERVER:CHARACTER SETS
(bnc#915913).
- CVE-2014-6463: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier and 5.6.19 and earlier allowed remote authenticated users to
affect availability via vectors related to SERVER:REPLICATION ROW FORMAT
BINARY LOG DML (bnc#915913).
- CVE-2014-6478: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier, and 5.6.19 and earlier, allowed remote attackers to affect
integrity via vectors related to SERVER:SSL:yaSSL (bnc#915913).
- CVE-2014-6484: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier, and 5.6.19 and earlier, allowed remote authenticated users
to affect availability via vectors related to SERVER:DML (bnc#915913).
- CVE-2014-6495: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier, and 5.6.19 and earlier, allowed remote attackers to affect
availability via vectors related to SERVER:SSL:yaSSL (bnc#915913).
- CVE-2014-6505: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier, and 5.6.19 and earlier, allowed remote authenticated users
to affect availability via vectors related to SERVER:MEMORY STORAGE
ENGINE (bnc#915913).
- CVE-2014-6520: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier allowed remote authenticated users to affect availability
via vectors related to SERVER:DDL (bnc#915913).
- CVE-2014-6530: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier, and 5.6.19 and earlier, allowed remote authenticated users
to affect confidentiality, integrity, and availability via vectors
related to CLIENT:MYSQLDUMP (bnc#915913).
- CVE-2014-6551: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier and 5.6.19 and earlier allowed local users to affect
confidentiality via vectors related to CLIENT:MYSQLADMIN (bnc#915913).
- CVE-2015-0391: Unspecified vulnerability in Oracle MySQL Server 5.5.38
and earlier, and 5.6.19 and earlier, allowed remote authenticated users
to affect availability via vectors related to DDL (bnc#915913).
- CVE-2014-4258: Unspecified vulnerability in the MySQL Server component
in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allowed remote
authenticated users to affect confidentiality, integrity, and
availability via vectors related to SRINFOSC (bnc#915914).
- CVE-2014-4260: Unspecified vulnerability in the MySQL Server component
in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allowed
remote authenticated users to affect integrity and availability via
vectors related to SRCHAR (bnc#915914).
- CVE-2014-2494: Unspecified vulnerability in the MySQL Server component
in Oracle MySQL 5.5.37 and earlier allowed remote authenticated users to
affect availability via vectors related to ENARC (bnc#915914).
- CVE-2014-4207: Unspecified vulnerability in the MySQL Server component
in Oracle MySQL 5.5.37 and earlier allowed remote authenticated users to
affect availability via vectors related to SROPTZR (bnc#915914).

These non-security issues were fixed:
- Get query produced incorrect results in MariaDB 10.0.11 vs MySQL 5.5 -
SLES12 (bnc#906194).
- After update to version 10.0.14 mariadb did not start - Job for
mysql.service failed (bnc#911442).
- Fix crash when disk full situation is reached on alter table
(bnc#904627).
- Allow md5 in FIPS mode (bnc#911556).
- Fixed a situation when bit and hex string literals unintentionally
changed column names (bnc#919229).

Release notes: https://kb.askmonty.org/en/mariadb-10016-release-notes/


Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Workstation Extension 12:

zypper in -t patch SUSE-SLE-WE-12-2015-170=1

- SUSE Linux Enterprise Software Development Kit 12:

zypper in -t patch SUSE-SLE-SDK-12-2015-170=1

- SUSE Linux Enterprise Server 12:

zypper in -t patch SUSE-SLE-SERVER-12-2015-170=1

- SUSE Linux Enterprise Desktop 12:

zypper in -t patch SUSE-SLE-DESKTOP-12-2015-170=1

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Linux Enterprise Workstation Extension 12 (x86_64):

libmysqlclient_r18-10.0.16-15.1
libmysqlclient_r18-32bit-10.0.16-15.1
mariadb-debuginfo-10.0.16-15.1
mariadb-debugsource-10.0.16-15.1

- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):

libmysqlclient-devel-10.0.16-15.1
libmysqlclient_r18-10.0.16-15.1
libmysqld-devel-10.0.16-15.1
libmysqld18-10.0.16-15.1
libmysqld18-debuginfo-10.0.16-15.1
mariadb-debuginfo-10.0.16-15.1
mariadb-debugsource-10.0.16-15.1

- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

libmysqlclient18-10.0.16-15.1
libmysqlclient18-debuginfo-10.0.16-15.1
mariadb-10.0.16-15.1
mariadb-client-10.0.16-15.1
mariadb-client-debuginfo-10.0.16-15.1
mariadb-debuginfo-10.0.16-15.1
mariadb-debugsource-10.0.16-15.1
mariadb-errormessages-10.0.16-15.1
mariadb-tools-10.0.16-15.1
mariadb-tools-debuginfo-10.0.16-15.1

- SUSE Linux Enterprise Server 12 (s390x x86_64):

libmysqlclient18-32bit-10.0.16-15.1
libmysqlclient18-debuginfo-32bit-10.0.16-15.1

- SUSE Linux Enterprise Desktop 12 (x86_64):

libmysqlclient18-10.0.16-15.1
libmysqlclient18-32bit-10.0.16-15.1
libmysqlclient18-debuginfo-10.0.16-15.1
libmysqlclient18-debuginfo-32bit-10.0.16-15.1
libmysqlclient_r18-10.0.16-15.1
libmysqlclient_r18-32bit-10.0.16-15.1
mariadb-10.0.16-15.1
mariadb-client-10.0.16-15.1
mariadb-client-debuginfo-10.0.16-15.1
mariadb-debuginfo-10.0.16-15.1
mariadb-debugsource-10.0.16-15.1
mariadb-errormessages-10.0.16-15.1


References:

https://www.suse.com/security/cve/CVE-2010-5298.html
https://www.suse.com/security/cve/CVE-2012-5615.html
https://www.suse.com/security/cve/CVE-2014-0195.html
https://www.suse.com/security/cve/CVE-2014-0198.html
https://www.suse.com/security/cve/CVE-2014-0221.html
https://www.suse.com/security/cve/CVE-2014-0224.html
https://www.suse.com/security/cve/CVE-2014-2494.html
https://www.suse.com/security/cve/CVE-2014-3470.html
https://www.suse.com/security/cve/CVE-2014-4207.html
https://www.suse.com/security/cve/CVE-2014-4258.html
https://www.suse.com/security/cve/CVE-2014-4260.html
https://www.suse.com/security/cve/CVE-2014-4274.html
https://www.suse.com/security/cve/CVE-2014-4287.html
https://www.suse.com/security/cve/CVE-2014-6463.html
https://www.suse.com/security/cve/CVE-2014-6464.html
https://www.suse.com/security/cve/CVE-2014-6469.html
https://www.suse.com/security/cve/CVE-2014-6474.html
https://www.suse.com/security/cve/CVE-2014-6478.html
https://www.suse.com/security/cve/CVE-2014-6484.html
https://www.suse.com/security/cve/CVE-2014-6489.html
https://www.suse.com/security/cve/CVE-2014-6491.html
https://www.suse.com/security/cve/CVE-2014-6494.html
https://www.suse.com/security/cve/CVE-2014-6495.html
https://www.suse.com/security/cve/CVE-2014-6496.html
https://www.suse.com/security/cve/CVE-2014-6500.html
https://www.suse.com/security/cve/CVE-2014-6505.html
https://www.suse.com/security/cve/CVE-2014-6507.html
https://www.suse.com/security/cve/CVE-2014-6520.html
https://www.suse.com/security/cve/CVE-2014-6530.html
https://www.suse.com/security/cve/CVE-2014-6551.html
https://www.suse.com/security/cve/CVE-2014-6555.html
https://www.suse.com/security/cve/CVE-2014-6559.html
https://www.suse.com/security/cve/CVE-2014-6564.html
https://www.suse.com/security/cve/CVE-2014-6568.html
https://www.suse.com/security/cve/CVE-2015-0374.html
https://www.suse.com/security/cve/CVE-2015-0381.html
https://www.suse.com/security/cve/CVE-2015-0382.html
https://www.suse.com/security/cve/CVE-2015-0391.html
https://www.suse.com/security/cve/CVE-2015-0411.html
https://www.suse.com/security/cve/CVE-2015-0432.html
https://bugzilla.suse.com/873351
https://bugzilla.suse.com/876282
https://bugzilla.suse.com/880891
https://bugzilla.suse.com/896400
https://bugzilla.suse.com/904627
https://bugzilla.suse.com/906117
https://bugzilla.suse.com/906194
https://bugzilla.suse.com/911442
https://bugzilla.suse.com/911556
https://bugzilla.suse.com/915911
https://bugzilla.suse.com/915912
https://bugzilla.suse.com/915913
https://bugzilla.suse.com/915914
https://bugzilla.suse.com/919229

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung