Security update for mariadb

Announcement ID:	SUSE-SU-2017:0411-1
Rating:	important
References:	bsc#1008253 bsc#1020868 bsc#1020873 bsc#1020875 bsc#1020877 bsc#1020878 bsc#1020882 bsc#1020884 bsc#1020885 bsc#1020891 bsc#1020894 bsc#1020896 bsc#1022428
Cross-References:	CVE-2016-6664 CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3257 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3317 CVE-2017-3318
CVSS scores:	CVE-2016-6664 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-6664 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-6664 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-3238 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3238 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3243 ( NVD ): 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2017-3243 ( NVD ): 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2017-3244 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3244 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3257 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3257 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3258 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3258 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3258 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3265 ( NVD ): 5.6 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:H CVE-2017-3265 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:H CVE-2017-3291 ( NVD ): 6.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2017-3291 ( NVD ): 6.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2017-3312 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2017-3312 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2017-3312 ( NVD ): 6.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2017-3317 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H CVE-2017-3317 ( NVD ): 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H CVE-2017-3318 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVE-2017-3318 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVE-2017-3318 ( NVD ): 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves 11 vulnerabilities and has two security fixes can now be installed.

Description:

This mariadb version update to 10.0.29 fixes the following issues:

• CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896)
• CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894)
• CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873)
• CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884)
• CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885)
• CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875)
• CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878)
• CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877)
• CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891)
• CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882)
• CVE-2016-6664: Root Privilege Escalation (bsc#1008253)

• Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428)

• notable changes:

• XtraDB updated to 5.6.34-79.1
• TokuDB updated to 5.6.34-79.1
• Innodb updated to 5.6.35
• Performance Schema updated to 5.6.35

Release notes and changelog: * https://kb.askmonty.org/en/mariadb-10029-release-notes * https://kb.askmonty.org/en/mariadb-10029-changelog

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2017-205=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2017-205=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • libmysqlclient18-32bit-10.0.29-20.23.1
  • libmysqlclient18-10.0.29-20.23.1
  • libmysqlclient18-debuginfo-10.0.29-20.23.1
  • mariadb-debuginfo-10.0.29-20.23.1
  • mariadb-debugsource-10.0.29-20.23.1
  • mariadb-client-debuginfo-10.0.29-20.23.1
  • libmysqld18-debuginfo-10.0.29-20.23.1
  • mariadb-tools-debuginfo-10.0.29-20.23.1
  • libmysqlclient18-debuginfo-32bit-10.0.29-20.23.1
  • mariadb-10.0.29-20.23.1
  • mariadb-client-10.0.29-20.23.1
  • libmysqlclient-devel-10.0.29-20.23.1
  • mariadb-tools-10.0.29-20.23.1
  • libmysqld-devel-10.0.29-20.23.1
  • libmysqlclient_r18-10.0.29-20.23.1
  • libmysqld18-10.0.29-20.23.1
  • mariadb-errormessages-10.0.29-20.23.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • libmysqlclient18-10.0.29-20.23.1
  • libmysqlclient18-debuginfo-10.0.29-20.23.1
  • mariadb-debuginfo-10.0.29-20.23.1
  • mariadb-debugsource-10.0.29-20.23.1
  • mariadb-client-debuginfo-10.0.29-20.23.1
  • libmysqld18-debuginfo-10.0.29-20.23.1
  • mariadb-tools-debuginfo-10.0.29-20.23.1
  • mariadb-10.0.29-20.23.1
  • mariadb-client-10.0.29-20.23.1
  • libmysqlclient-devel-10.0.29-20.23.1
  • mariadb-tools-10.0.29-20.23.1
  • libmysqld-devel-10.0.29-20.23.1
  • libmysqlclient_r18-10.0.29-20.23.1
  • libmysqld18-10.0.29-20.23.1
  • mariadb-errormessages-10.0.29-20.23.1
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • libmysqlclient18-32bit-10.0.29-20.23.1
  • libmysqlclient18-debuginfo-32bit-10.0.29-20.23.1

References:

• https://www.suse.com/security/cve/CVE-2016-6664.html
• https://www.suse.com/security/cve/CVE-2017-3238.html
• https://www.suse.com/security/cve/CVE-2017-3243.html
• https://www.suse.com/security/cve/CVE-2017-3244.html
• https://www.suse.com/security/cve/CVE-2017-3257.html
• https://www.suse.com/security/cve/CVE-2017-3258.html
• https://www.suse.com/security/cve/CVE-2017-3265.html
• https://www.suse.com/security/cve/CVE-2017-3291.html
• https://www.suse.com/security/cve/CVE-2017-3312.html
• https://www.suse.com/security/cve/CVE-2017-3317.html
• https://www.suse.com/security/cve/CVE-2017-3318.html
• https://bugzilla.suse.com/show_bug.cgi?id=1008253
• https://bugzilla.suse.com/show_bug.cgi?id=1020868
• https://bugzilla.suse.com/show_bug.cgi?id=1020873
• https://bugzilla.suse.com/show_bug.cgi?id=1020875
• https://bugzilla.suse.com/show_bug.cgi?id=1020877
• https://bugzilla.suse.com/show_bug.cgi?id=1020878
• https://bugzilla.suse.com/show_bug.cgi?id=1020882
• https://bugzilla.suse.com/show_bug.cgi?id=1020884
• https://bugzilla.suse.com/show_bug.cgi?id=1020885
• https://bugzilla.suse.com/show_bug.cgi?id=1020891
• https://bugzilla.suse.com/show_bug.cgi?id=1020894
• https://bugzilla.suse.com/show_bug.cgi?id=1020896
• https://bugzilla.suse.com/show_bug.cgi?id=1022428