SUSE-SU-2015:0743-1

Source
https://www.suse.com/support/update/announcement/2015/suse-su-20150743-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2015:0743-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2015:0743-1
Related
  • CVE-2010-5298
  • CVE-2012-5615
  • CVE-2014-0195
  • CVE-2014-0198
  • CVE-2014-0221
  • CVE-2014-0224
  • CVE-2014-2494
  • CVE-2014-3470
  • CVE-2014-4207
  • CVE-2014-4258
  • CVE-2014-4260
  • CVE-2014-4274
  • CVE-2014-4287
  • CVE-2014-6463
  • CVE-2014-6464
  • CVE-2014-6469
  • CVE-2014-6474
  • CVE-2014-6478
  • CVE-2014-6484
  • CVE-2014-6489
  • CVE-2014-6491
  • CVE-2014-6494
  • CVE-2014-6495
  • CVE-2014-6496
  • CVE-2014-6500
  • CVE-2014-6505
  • CVE-2014-6507
  • CVE-2014-6520
  • CVE-2014-6530
  • CVE-2014-6551
  • CVE-2014-6555
  • CVE-2014-6559
  • CVE-2014-6564
  • CVE-2014-6568
  • CVE-2015-0374
  • CVE-2015-0381
  • CVE-2015-0382
  • CVE-2015-0391
  • CVE-2015-0411
  • CVE-2015-0432
Published
2015-03-03T00:49:26Z
Modified
2015-03-03T00:49:26Z
Summary
Security update for mariadb
Details

mariadb was updated to version 10.0.16 to fix 40 security issues.

These security issues were fixed: - CVE-2015-0411: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption (bnc#915911). - CVE-2015-0382: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allowed remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381 (bnc#915911). - CVE-2015-0381: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allowed remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382 (bnc#915911). - CVE-2015-0432: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allowed remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key (bnc#915911). - CVE-2014-6568: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allowed remote authenticated users to affect availability via vectors related to Server : InnoDB : DML (bnc#915911). - CVE-2015-0374: Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allowed remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key (bnc#915911). - CVE-2014-6507: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allowed remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML (bnc#915912). - CVE-2014-6491: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500 (bnc#915912). - CVE-2014-6500: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491 (bnc#915912). - CVE-2014-6469: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and eariler and 5.6.20 and earlier allowed remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER (bnc#915912). - CVE-2014-6555: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allowed remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML (bnc#915912). - CVE-2014-6559: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allowed remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING (bnc#915912). - CVE-2014-6494: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allowed remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496 (bnc#915912). - CVE-2014-6496: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allowed remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6494 (bnc#915912). - CVE-2014-6464: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allowed remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS (bnc#915912). - CVE-2010-5298: Race condition in the ssl3readbytes function in s3pkt.c in OpenSSL through 1.0.1g, when SSLMODERELEASEBUFFERS is enabled, allowed remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment (bnc#873351). - CVE-2014-0195: The dtls1reassemblefragment function in d1both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h did not properly validate fragment lengths in DTLS ClientHello messages, which allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment (bnc#880891). - CVE-2014-0198: The dossl3write function in s3pkt.c in OpenSSL 1.x through 1.0.1g, when SSLMODERELEASEBUFFERS is enabled, did not properly manage a buffer pointer during certain recursive calls, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition (bnc#876282). - CVE-2014-0221: The dtls1getmessagefragment function in d1both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allowed remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake (bnc#915913). - CVE-2014-0224: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h did not properly restrict processing of ChangeCipherSpec messages, which allowed man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability (bnc#915913). - CVE-2014-3470: The ssl3sendclientkeyexchange function in s3clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allowed remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value (bnc#915913). - CVE-2014-6474: Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allowed remote authenticated users to affect availability via vectors related to SERVER:MEMCACHED (bnc#915913). - CVE-2014-6489: Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allowed remote authenticated users to affect integrity and availability via vectors related to SERVER:SP (bnc#915913). - CVE-2014-6564: Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allowed remote authenticated users to affect availability via vectors related to SERVER:INNODB FULLTEXT SEARCH DML (bnc#915913). - CVE-2012-5615: Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allowed remote attackers to enumerate valid usernames (bnc#915913). - CVE-2014-4274: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allowed local users to affect confidentiality, integrity, and availability via vectors related to SERVER:MyISAM (bnc#896400). - CVE-2014-4287: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allowed remote authenticated users to affect availability via vectors related to SERVER:CHARACTER SETS (bnc#915913). - CVE-2014-6463: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allowed remote authenticated users to affect availability via vectors related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML (bnc#915913). - CVE-2014-6478: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allowed remote attackers to affect integrity via vectors related to SERVER:SSL:yaSSL (bnc#915913). - CVE-2014-6484: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allowed remote authenticated users to affect availability via vectors related to SERVER:DML (bnc#915913). - CVE-2014-6495: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allowed remote attackers to affect availability via vectors related to SERVER:SSL:yaSSL (bnc#915913). - CVE-2014-6505: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allowed remote authenticated users to affect availability via vectors related to SERVER:MEMORY STORAGE ENGINE (bnc#915913). - CVE-2014-6520: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier allowed remote authenticated users to affect availability via vectors related to SERVER:DDL (bnc#915913). - CVE-2014-6530: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allowed remote authenticated users to affect confidentiality, integrity, and availability via vectors related to CLIENT:MYSQLDUMP (bnc#915913). - CVE-2014-6551: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allowed local users to affect confidentiality via vectors related to CLIENT:MYSQLADMIN (bnc#915913). - CVE-2015-0391: Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allowed remote authenticated users to affect availability via vectors related to DDL (bnc#915913). - CVE-2014-4258: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allowed remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC (bnc#915914). - CVE-2014-4260: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allowed remote authenticated users to affect integrity and availability via vectors related to SRCHAR (bnc#915914). - CVE-2014-2494: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allowed remote authenticated users to affect availability via vectors related to ENARC (bnc#915914). - CVE-2014-4207: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allowed remote authenticated users to affect availability via vectors related to SROPTZR (bnc#915914).

These non-security issues were fixed: - Get query produced incorrect results in MariaDB 10.0.11 vs MySQL 5.5 - SLES12 (bnc#906194). - After update to version 10.0.14 mariadb did not start - Job for mysql.service failed (bnc#911442). - Fix crash when disk full situation is reached on alter table (bnc#904627). - Allow md5 in FIPS mode (bnc#911556). - Fixed a situation when bit and hex string literals unintentionally changed column names (bnc#919229).

Release notes: https://kb.askmonty.org/en/mariadb-10016-release-notes/

References

Affected packages

SUSE:Linux Enterprise Desktop 12 / mariadb

Package

Name
mariadb
Purl
pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Desktop%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.16-15.1

Ecosystem specific

{
    "binaries": [
        {
            "libmysqlclient_r18-32bit": "10.0.16-15.1",
            "mariadb-errormessages": "10.0.16-15.1",
            "libmysqlclient18": "10.0.16-15.1",
            "libmysqlclient_r18": "10.0.16-15.1",
            "mariadb": "10.0.16-15.1",
            "libmysqlclient18-32bit": "10.0.16-15.1",
            "mariadb-client": "10.0.16-15.1"
        }
    ]
}

SUSE:Linux Enterprise Software Development Kit 12 / mariadb

Package

Name
mariadb
Purl
pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.16-15.1

Ecosystem specific

{
    "binaries": [
        {
            "libmysqlclient_r18": "10.0.16-15.1",
            "libmysqld18": "10.0.16-15.1",
            "libmysqld-devel": "10.0.16-15.1",
            "libmysqlclient-devel": "10.0.16-15.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 / mariadb

Package

Name
mariadb
Purl
pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Server%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.16-15.1

Ecosystem specific

{
    "binaries": [
        {
            "libmysqlclient18": "10.0.16-15.1",
            "mariadb-errormessages": "10.0.16-15.1",
            "mariadb": "10.0.16-15.1",
            "libmysqlclient18-32bit": "10.0.16-15.1",
            "mariadb-client": "10.0.16-15.1",
            "mariadb-tools": "10.0.16-15.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 / mariadb

Package

Name
mariadb
Purl
pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.16-15.1

Ecosystem specific

{
    "binaries": [
        {
            "libmysqlclient18": "10.0.16-15.1",
            "mariadb-errormessages": "10.0.16-15.1",
            "mariadb": "10.0.16-15.1",
            "libmysqlclient18-32bit": "10.0.16-15.1",
            "mariadb-client": "10.0.16-15.1",
            "mariadb-tools": "10.0.16-15.1"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 12 / mariadb

Package

Name
mariadb
Purl
pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.16-15.1

Ecosystem specific

{
    "binaries": [
        {
            "libmysqlclient_r18": "10.0.16-15.1",
            "libmysqlclient_r18-32bit": "10.0.16-15.1"
        }
    ]
}