Debian Bug report logs -
#884065
mariadb-10.2 CVE-2017-10378 CVE-2017-10268 CVE-2017-15365 CVE-2017-3636 CVE-2017-3641 CVE-2017-3653 CVE-2017-10320 CVE-2017-10365 CVE-2017-10379 CVE-2017-10384 CVE-2017-10286 CVE-2017-3257
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 Dec 2017 06:21:01 UTC
Severity: grave
Tags: security, upstream
Found in version mariadb-10.2/10.2.7-1
Fixed in version 10.2.7-1+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#884065; Package src:mariadb-10.2.
(Mon, 11 Dec 2017 06:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Mon, 11 Dec 2017 06:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mariadb-10.2
Version: 10.2.7-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for mariadb-10.2, these
are fixed in 10.2.10.
CVE-2017-10378[0]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Optimizer). Supported versions that are
| affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and
| earlier. Easily exploitable vulnerability allows low privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability
| impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2017-10268[1]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Replication). Supported versions that are
| affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and
| earlier. Difficult to exploit vulnerability allows high privileged
| attacker with logon to the infrastructure where MySQL Server executes
| to compromise MySQL Server. Successful attacks of this vulnerability
| can result in unauthorized access to critical data or complete access
| to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).
CVE-2017-15365[2]:
Replication in sql/event_data_objects.cc occurs before ACL checks
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10378
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378
[1] https://security-tracker.debian.org/tracker/CVE-2017-10268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268
[2] https://security-tracker.debian.org/tracker/CVE-2017-15365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#884065; Package src:mariadb-10.2.
(Mon, 11 Dec 2017 06:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Mon, 11 Dec 2017 06:27:05 GMT) (full text, mbox, link).
Message #10 received at 884065@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 mariadb-10.2 CVE-2017-10378 CVE-2017-10268 CVE-2017-15365 CVE-2017-3636 CVE-2017-3641 CVE-2017-3653 CVE-2017-10320 CVE-2017-10365 CVE-2017-10379 CVE-2017-10384 CVE-2017-10286 CVE-2017-3257
On Mon, Dec 11, 2017 at 07:19:22AM +0100, Salvatore Bonaccorso wrote:
> Source: mariadb-10.2
> Version: 10.2.7-1
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> the following vulnerabilities were published for mariadb-10.2, these
> are fixed in 10.2.10.
There are the following more as well adressend in 10.2.8:
CVE-2017-3636
CVE-2017-3641
CVE-2017-3653
CVE-2017-10320
CVE-2017-10365
CVE-2017-10379
CVE-2017-10384
CVE-2017-10286
CVE-2017-3257
Cf. https://mariadb.com/kb/en/library/mariadb-1028-release-notes/
Regards,
Salvatore
Changed Bug title to 'mariadb-10.2 CVE-2017-10378 CVE-2017-10268 CVE-2017-15365 CVE-2017-3636 CVE-2017-3641 CVE-2017-3653 CVE-2017-10320 CVE-2017-10365 CVE-2017-10379 CVE-2017-10384 CVE-2017-10286 CVE-2017-3257' from 'mariadb-10.2: CVE-2017-10378 CVE-2017-10268 CVE-2017-15365'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 884065-submit@bugs.debian.org.
(Mon, 11 Dec 2017 06:27:05 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Sat, 03 Mar 2018 22:18:23 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 03 Mar 2018 22:18:23 GMT) (full text, mbox, link).
Message #17 received at 884065-done@bugs.debian.org (full text, mbox, reply):
Version: 10.2.7-1+rm
Dear submitter,
as the package mariadb-10.2 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/891641
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#884065; Package src:mariadb-10.2.
(Sat, 03 Mar 2018 22:33:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Sat, 03 Mar 2018 22:33:11 GMT) (full text, mbox, link).
Message #22 received at 884065@bugs.debian.org (full text, mbox, reply):
There is not enough maintenance power to maintain as many MariaDB
versions in Debian in parallel as we have now. The package
mariadb-10.2 is to be removed from Debian unstable and the security
update efforts will focus on quicker 10.1 and 10.3 uploads.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 Apr 2018 07:30:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:42:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon