USN-3040-1: MySQL vulnerabilities partially applies to MariaDB too

The 5.5 series update for 14.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-14.04 branch at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?h=ubuntu-14.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds finished successfully at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb/+builds?build_text=&build_state=all

Just in case you want to see it separately, I've attached the result of the command
  git diff ubuntu/5.5.49-1ubuntu0.14.04.1..HEAD debian/ > 5.5.49-1ubuntu0.14.04.1..HEAD.diff

10.0 series updates for 16.04 and 15.10 are now available.

Please use git-buildpackage to fetch and build from the ubuntu-16.04 and ubuntu-15.10 branches at http://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.0.git

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds finished successfully at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.0/+builds?build_text=&build_state=all

MariaDB 10.0.26 has already been uploaded to Debian unstable for some while. There was a regression in ppc64el builds that is now fixed and included in these Ubuntu branches.

Hi Otto - Thank you for the contributions! Sorry that it took my a little while to begin sponsoring these uploads but I believe that this is the first git-buildpackage upload that I've sponsored and it took me some time to figure out.

The 16.04 upload looks fine. The 15.10 upload will be ignored since it 15.10 is EOL as of last week.

I'm having some problems with the 14.04 upload. If I run the git diff command that you mentioned in comment 1, I see the same debdiff that you attached in comment 2. However, if I create a source upload based on your git-buildpackage tree and then look at the debdiff between mariadb-5.5_5.5.49-1ubuntu0.14.04.1.dsc and the generated mariadb-5.5_5.5.50-1ubuntu0.14.04.1.dsc, I get very different results. Many files in debian/ are changed. Here's the relevant snippet of the diffstat output:

 debian/additions/innotop/changelog.innotop | 357
 debian/additions/my.cnf | 171
 debian/changelog | 17
 debian/dist/Debian/mariadb-server-5.5.README.Debian | 109
 debian/dist/Debian/mariadb-server-5.5.dirs | 10
 debian/dist/Debian/mariadb-server-5.5.files.in | 75
 debian/dist/Debian/mariadb-server-5.5.postinst | 268
 debian/dist/Debian/mariadb-server-5.5.postrm | 83
 debian/dist/Debian/rules | 290
 debian/dist/Ubuntu/mariadb-server-5.5.README.Debian | 109
 debian/dist/Ubuntu/mariadb-server-5.5.dirs | 10
 debian/dist/Ubuntu/mariadb-server-5.5.postinst | 284
 debian/dist/Ubuntu/mariadb-server-5.5.postrm | 86
 debian/dist/Ubuntu/rules | 295
 debian/libmariadbclient-dev.files | 7
 debian/libmariadbclient18.files | 3
 debian/libmariadbd-dev.files | 2
 debian/mariadb-client-5.5.files | 28
 debian/mariadb-client-core-5.5.files | 4
 debian/mariadb-common.files | 1
 debian/mariadb-common.postrm | 8
 debian/mariadb-server-5.5.NEWS | 34
 debian/mariadb-server-core-5.5.files | 26
 debian/mariadb-test-5.5.files | 19
 debian/mysql-common.dirs | 1
 debian/mysql-common.files | 3
 debian/mysql-common.lintian-overrides | 2
 debian/mysql-common.postrm | 7
 debian/patches/00list | 11
 debian/patches/01_MAKEFILES__Docs_Images_Makefile.in.dpatch | 776 ...

Also, can you tell me what amount of testing you've performed on these Ubuntu builds of mariadb?

Sorry for the long delay in replying. It seems that at some point somebody who did the upload has had some mixup, and used the debian/* contents from the mariadb.org upstream and not from the sources I provided.

The mixup is understandable. When you untar the upstream package, there is already some contents in debian/* (upstream legacy). The uploader needs to remove that, import the debian/* from the current package in Ubuntu and then apply the debdiff I provided to get the new changelog entry etc.

From now on I will only provide git-buildpackage branches and ask the uploader to use them. That is less error prone, as the uploader does not need to untar and move folders and apply patches manually at all. Running git-buildpackage is all that is needed, and everything can be verified thanks to the pristine-tar and gpg signatures provides by git-buildpackage.

What to do with the mixed up mariadb-5.5 in 14.04 then? I don't know. I will continue to maintain the branch ubuntu-14.04 at https://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/log/?id=refs/heads/ubuntu-14.04 how it was and should be. I would hope the mariadb-5.5 in Ubuntu official repos would have the mixup cleaned away, but I don't have resources at the moment to test if that causes some regressions and if it is feasible to do.

Actually, it should be pretty feasible to do, as the MariaDB 5.5. packages in Debian and Ubuntu (which stem from the same official Debian packaging) have been previously tested to be compatible with the legacy packaging used by upstream MariaDB.org, so that it is easy for people to upgrade from legacy packaging to the official and correct packaging done Debian Developers and released at Debian repositories.

It seems this 10.0.26 has not yet been uploaded to Xenial. I shall soon start preparing 10.0.27 due to CVE-2016-6662 (see https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html)

Will you work on 5.5.51 (for 14.04 “Trusty”) also (for the same CVE)?

Yes, I will. So the plan is now that I should remove the never uploaded commits from the ubuntu-14.04 and ubuntu 16.04 branches and jump straight to updating the branches read for 5.5.51 and 10.0.27 uploading.

I have now prepared 5.5.52 for Trusty and 10.0.27 for Xenial. I will not prepare an update for Wily anymore, as it is EOL. Xenial can sync from Debian.

Sources and build logs are available at the same locations as linked above. Test builds in the PPA are still running. I'll ping you when all testing has passed.

This bug was fixed in the package mariadb-10.0 - 10.0.27-0ubuntu0.16.04.1

---------------
mariadb-10.0 (10.0.27-0ubuntu0.16.04.1) xenial-security; urgency=low

  * SECURITY UPDATE: New upstream release 10.0.27. Includes fixes for the
    following security vulnerabilities (LP: #1605493):
    - CVE-2016-6662
  * Previous release 10.0.26 included included fixes for
    the following security vulnerabilities:
    - CVE-2016-3615
    - CVE-2016-3521
    - CVE-2016-3477
  * Update old changelog entries to include new CVE identifiers

 -- Otto Kekäläinen <email address hidden> Wed, 14 Sep 2016 22:30:17 +0300

This bug was fixed in the package mariadb-5.5 - 5.5.52-1ubuntu0.14.04.1

---------------
mariadb-5.5 (5.5.52-1ubuntu0.14.04.1) trusty-security; urgency=low

  * SECURITY UPDATE: New upstream release 5.5.52 (LP: #1605493)
    - Latest maintenance release includes only fixes to serious bugs.
  * Previous release 5.5.51 included included fixes for
    the following security vulnerabilities:
    - CVE-2016-6662
  * Previous release 5.5.50 included included fixes for
    the following security vulnerabilities:
    - CVE-2016-5440
    - CVE-2016-3615
    - CVE-2016-3521
    - CVE-2016-3477
  * Update previous changelog entries to contain new CVE identifiers

 -- Otto Kekäläinen <email address hidden> Wed, 14 Sep 2016 21:01:08 +0300