mysql 5.5.46, 5.6.27 security update tracking bug

Bug #1508441 reported by Marc Deslauriers
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.5 (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Medium
Marc Deslauriers
Trusty
Fix Released
Medium
Marc Deslauriers
Vivid
Invalid
Undecided
Unassigned
Wily
Invalid
Undecided
Unassigned
mysql-5.6 (Ubuntu)
Fix Released
Medium
Marc Deslauriers
Precise
Invalid
Undecided
Unassigned
Trusty
Fix Released
Medium
Unassigned
Vivid
Fix Released
Medium
Marc Deslauriers
Wily
Fix Released
Medium
Marc Deslauriers
Changed in mysql-5.5 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.5 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.5 (Ubuntu Vivid):
status: New → Invalid
Changed in mysql-5.5 (Ubuntu Wily):
status: New → Invalid
Changed in mysql-5.6 (Ubuntu Precise):
status: New → Invalid
Changed in mysql-5.6 (Ubuntu Trusty):
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.6 (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in mysql-5.6 (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.46-0ubuntu0.12.04.2

---------------
mysql-5.5 (5.5.46-0ubuntu0.12.04.2) precise-security; urgency=medium

  * SECURITY UPDATE: Update to 5.5.46 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4792
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4864
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/revert_atomic.patch: fix ftbfs on arm and powerpc by
    reverting to __sync_lock_test_and_set.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 11:42:06 -0400

Changed in mysql-5.5 (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.6 - 5.6.27-0ubuntu1

---------------
mysql-5.6 (5.6.27-0ubuntu1) wily-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.27 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4730
    - CVE-2015-4766
    - CVE-2015-4792
    - CVE-2015-4800
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4833
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4862
    - CVE-2015-4864
    - CVE-2015-4866
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4890
    - CVE-2015-4895
    - CVE-2015-4904
    - CVE-2015-4910
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/arch-specific/*, debian/patches/rules: dropped
    arch-specific patches for full memory barrier support, equivalent now
    upstream.
  * debian/control: drop quilt from Build-Depends, no longer needed.
  * debian/rules: remove -fno-exceptions to fix ftbfs with new version.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 08:35:53 -0400

Changed in mysql-5.6 (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.6 - 5.6.27-0ubuntu0.15.04.1

---------------
mysql-5.6 (5.6.27-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.27 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4730
    - CVE-2015-4766
    - CVE-2015-4792
    - CVE-2015-4800
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4833
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4862
    - CVE-2015-4864
    - CVE-2015-4866
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4890
    - CVE-2015-4895
    - CVE-2015-4904
    - CVE-2015-4910
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/arch-specific/*, debian/patches/rules: dropped
    arch-specific patches for full memory barrier support, equivalent now
    upstream.
  * debian/control: drop quilt from Build-Depends, no longer needed.
  * debian/rules: remove -fno-exceptions to fix ftbfs with new version.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 09:39:27 -0400

Changed in mysql-5.6 (Ubuntu Vivid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.46-0ubuntu0.14.04.2

---------------
mysql-5.5 (5.5.46-0ubuntu0.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Update to 5.5.46 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
    - CVE-2015-4792
    - CVE-2015-4802
    - CVE-2015-4815
    - CVE-2015-4816
    - CVE-2015-4819
    - CVE-2015-4826
    - CVE-2015-4830
    - CVE-2015-4836
    - CVE-2015-4858
    - CVE-2015-4861
    - CVE-2015-4864
    - CVE-2015-4870
    - CVE-2015-4879
    - CVE-2015-4913
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/patches/arch-specific/*, debian/patches/rules: dropped
    arch-specific patches for full memory barrier support, equivalent now
    upstream.
  * debian/control: drop quilt from Build-Depends, no longer needed.

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2015 07:14:11 -0400

Changed in mysql-5.5 (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.6 - 5.6.27-0ubuntu0.14.04.1

---------------
mysql-5.6 (5.6.27-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Update to 5.6.27 to fix security issues (LP: #1508441)
    - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
  * debian/patches/fix_testsuite_date.patch: fix test suite failure caused
    by arbitrary date in the future no longer being in the future.
  * debian/rules: remove -fno-exceptions to fix ftbfs with new version.
  * debian/rules: fix ftbfs by building the sql directory first so the
    required files are generated.

 -- Marc Deslauriers <email address hidden> Mon, 26 Oct 2015 10:44:28 -0400

Changed in mysql-5.6 (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in mysql-5.6 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Tsukasa (tsukasa1105) wrote :

Possible regression. I have vagrant -> puppet setting up ubuntu 14.04 from scratch on a semi-regular basis. After the package was released I see this:

==> one: Setting up mysql-server-core-5.6 (5.6.27-0ubuntu0.14.04.1) ...
==> one: Setting up mysql-server-5.6 (5.6.27-0ubuntu0.14.04.1) ...
==> one: start: Job failed to start
==> one: invoke-rc.d: initscript mysql, action "start" failed.
==> one: dpkg: error processing package mysql-server-5.6 (--configure):
==> one: subprocess installed post-installation script returned error exit status 1

After I SSH into the box and run it manually:

# /etc/init.d/mysql start
 * Starting MySQL database server mysqld
No directory, logging in with HOME=/
-su: 31: source: not found
   ...done.
 * Checking for tables which need an upgrade, are corrupt or were
not closed cleanly.

Then mysql server runs correctly.

More info:

# apt-cache policy mysql-server-5.6
mysql-server-5.6:
  Installed: 5.6.27-0ubuntu0.14.04.1
  Candidate: 5.6.27-0ubuntu0.14.04.1
  Version table:
 *** 5.6.27-0ubuntu0.14.04.1 0
        500 http://mirrors.linode.com/ubuntu/ trusty-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     5.6.25-3+deb.sury.org~trusty+1 0
        500 http://ppa.launchpad.net/ondrej/mysql-5.6/ubuntu/ trusty/main amd64 Packages
     5.6.16-1~exp1 0
        500 http://mirrors.linode.com/ubuntu/ trusty/universe amd64 Packages

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can't reproduce that failure, could you please attach your /var/log/dpkg.log file?

Revision history for this message
Tsukasa (tsukasa1105) wrote :
Download full text (88.2 KiB)

Sure.

2015-10-28 17:24:22 startup archives unpack
2015-10-28 17:24:22 upgrade curl:amd64 7.35.0-1ubuntu2.1 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status half-configured curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status half-installed curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status triggers-pending man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 status half-installed curl:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status unpacked curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 upgrade libcurl3:amd64 7.35.0-1ubuntu2.1 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status half-configured libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status half-installed libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status half-installed libcurl3:amd64 7.35.0-1ubuntu2.1
2015-10-28 17:24:22 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:22 trigproc man-db:amd64 2.6.7.1-1ubuntu1 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 status half-configured man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 status installed man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:22 startup packages configure
2015-10-28 17:24:23 configure libcurl3:amd64 7.35.0-1ubuntu2.5 <none>
2015-10-28 17:24:23 status unpacked libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status half-configured libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status installed libcurl3:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status triggers-pending libc-bin:amd64 2.19-0ubuntu6.3
2015-10-28 17:24:23 configure curl:amd64 7.35.0-1ubuntu2.5 <none>
2015-10-28 17:24:23 status unpacked curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status half-configured curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 status installed curl:amd64 7.35.0-1ubuntu2.5
2015-10-28 17:24:23 trigproc libc-bin:amd64 2.19-0ubuntu6.3 <none>
2015-10-28 17:24:23 status half-configured libc-bin:amd64 2.19-0ubuntu6.3
2015-10-28 17:24:23 status installed libc-bin:amd64 2.19-0ubuntu6.3
2015-10-28 17:24:24 startup archives unpack
2015-10-28 17:24:24 install liberror-perl:all <none> 0.17-1.1
2015-10-28 17:24:24 status half-installed liberror-perl:all 0.17-1.1
2015-10-28 17:24:24 status triggers-pending man-db:amd64 2.6.7.1-1ubuntu1
2015-10-28 17:24:24 status unpacked liberror-perl:all 0.17-1.1
2015-10-28 17:24:24 status unpacked liberror-perl:all 0.17-1.1
2015-10-28 17:24:24 install git-man:all <none> 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status half-installed git-man:all 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status unpacked git-man:all 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status unpacked git-man:all 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 install git:amd64 <none> 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:24 status half-installed git:amd64 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:25 status unpacked git:amd64 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:25 status unpacked git:amd64 1:1.9.1-1ubuntu0.1
2015-10-28 17:24:25 install git-core:all <none> 1:1.9.1-1ubuntu0...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like you upgraded from a version that wasn't in the archive, namely 5.6.25-3+deb.sury.org~trusty+1.
Are you able to reproduce the issue in a clean install without that unofficial package?

Revision history for this message
Tsukasa (tsukasa1105) wrote :

I believe that package would be in the default distribution image for linode (as it is a fresh image from their fresh image).

Should I contact the Linode package managers and/or force an uninstall somehow?

Revision history for this message
Tsukasa (tsukasa1105) wrote :

Got it fixed by removing the PPA for deb.sury.org. I also notified the maintainer of this issue.

For those having the same issue and are using puphpet, this repository is enabled by default. I modified puphpet/puppet/modules/puphpet/manifests/mysql/repo.pp and changed the file to:

class puphpet::mysql::repo(
  $version
) {
}

to remove the repository and it was fixed for me.

Thanks

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.