Moderate: mariadb security and bug fix update

Synopsis

Moderate: mariadb security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

An update for mariadb is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.

The following packages have been upgraded to a later upstream version: mariadb (5.5.60). (BZ#1584668, BZ#1584671, BZ#1584674, BZ#1601085)

Security Fix(es):

• mysql: Client programs unspecified vulnerability (CPU Jul 2017) (CVE-2017-3636)
  
• mysql: Server: DML unspecified vulnerability (CPU Jul 2017) (CVE-2017-3641)
  
• mysql: Client mysqldump unspecified vulnerability (CPU Jul 2017) (CVE-2017-3651)
  
• mysql: Server: Replication unspecified vulnerability (CPU Oct 2017) (CVE-2017-10268)
  
• mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) (CVE-2017-10378)
  
• mysql: Client programs unspecified vulnerability (CPU Oct 2017) (CVE-2017-10379)
  
• mysql: Server: DDL unspecified vulnerability (CPU Oct 2017) (CVE-2017-10384)
  
• mysql: Server: Partition unspecified vulnerability (CPU Jan 2018) (CVE-2018-2562)
  
• mysql: Server: DDL unspecified vulnerability (CPU Jan 2018) (CVE-2018-2622)
  
• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2640)
  
• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2665)
  
• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2668)
  
• mysql: Server: Replication unspecified vulnerability (CPU Apr 2018) (CVE-2018-2755)
  
• mysql: Client programs unspecified vulnerability (CPU Apr 2018) (CVE-2018-2761)
  
• mysql: Server: Locking unspecified vulnerability (CPU Apr 2018) (CVE-2018-2771)
  
• mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) (CVE-2018-2781)
  
• mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) (CVE-2018-2813)
  
• mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) (CVE-2018-2817)
  
• mysql: InnoDB unspecified vulnerability (CPU Apr 2018) (CVE-2018-2819)
  
• mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) (CVE-2017-3653)
  
• mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM) (CVE-2018-2767)
  

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• Previously, the mysqladmin tool waited for an inadequate length of time if the socket it listened on did not respond in a specific way. Consequently, when the socket was used while the MariaDB server was starting, the mariadb service became unresponsive for a long time. With this update, the mysqladmin timeout has been shortened to 2 seconds. As a result, the mariadb service either starts or fails but no longer hangs in the described situation. (BZ#1584023)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically.

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.6 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.5 x86_64
• Red Hat Enterprise Linux Server - AUS 7.6 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.6 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.5 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5 ppc64le
• Red Hat Enterprise Linux Server - TUS 7.6 x86_64
• Red Hat Enterprise Linux for ARM 64 7 aarch64
• Red Hat Enterprise Linux for Power 9 7 ppc64le
• Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
• Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
• Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

• BZ - 1472686 - CVE-2017-3636 mysql: Client programs unspecified vulnerability (CPU Jul 2017)
• BZ - 1472693 - CVE-2017-3641 mysql: Server: DML unspecified vulnerability (CPU Jul 2017)
• BZ - 1472708 - CVE-2017-3651 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2017)
• BZ - 1472711 - CVE-2017-3653 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017)
• BZ - 1503656 - CVE-2017-10268 mysql: Server: Replication unspecified vulnerability (CPU Oct 2017)
• BZ - 1503684 - CVE-2017-10378 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017)
• BZ - 1503685 - CVE-2017-10379 mysql: Client programs unspecified vulnerability (CPU Oct 2017)
• BZ - 1503686 - CVE-2017-10384 mysql: Server: DDL unspecified vulnerability (CPU Oct 2017)
• BZ - 1535484 - CVE-2018-2562 mysql: Server: Partition unspecified vulnerability (CPU Jan 2018)
• BZ - 1535499 - CVE-2018-2622 mysql: Server: DDL unspecified vulnerability (CPU Jan 2018)
• BZ - 1535500 - CVE-2018-2640 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
• BZ - 1535504 - CVE-2018-2665 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
• BZ - 1535506 - CVE-2018-2668 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
• BZ - 1564965 - CVE-2018-2767 mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM)
• BZ - 1568921 - CVE-2018-2755 mysql: Server: Replication unspecified vulnerability (CPU Apr 2018)
• BZ - 1568924 - CVE-2018-2761 mysql: Client programs unspecified vulnerability (CPU Apr 2018)
• BZ - 1568931 - CVE-2018-2771 mysql: Server: Locking unspecified vulnerability (CPU Apr 2018)
• BZ - 1568942 - CVE-2018-2781 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
• BZ - 1568951 - CVE-2018-2813 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
• BZ - 1568954 - CVE-2018-2817 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
• BZ - 1568956 - CVE-2018-2819 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
• BZ - 1584023 - systemctl start mariadb - hangs if sock file is used by another process [rhel-7.5.z]
• BZ - 1584024 - MariaDB crashing due to specific SQL statement [rhel-7.5.z]
• BZ - 1584029 - MariaDB server segfaults with select query [rhel-7.5.z]

CVEs

• CVE-2017-3636
• CVE-2017-3641
• CVE-2017-3651
• CVE-2017-3653
• CVE-2017-10268
• CVE-2017-10378
• CVE-2017-10379
• CVE-2017-10384
• CVE-2018-2562
• CVE-2018-2622
• CVE-2018-2640
• CVE-2018-2665
• CVE-2018-2668
• CVE-2018-2755
• CVE-2018-2761
• CVE-2018-2767
• CVE-2018-2771
• CVE-2018-2781
• CVE-2018-2813
• CVE-2018-2817
• CVE-2018-2819
• CVE-2018-3133

References

• https://access.redhat.com/security/updates/classification/#moderate