Security update for mariadb

Announcement ID:	SUSE-SU-2015:1273-1
Rating:	important
References:	bsc#906574 bsc#919053 bsc#919062 bsc#920865 bsc#920896 bsc#921333 bsc#924663 bsc#924960 bsc#924961 bsc#934789 bsc#936407 bsc#936408 bsc#936409
Cross-References:	CVE-2014-8964 CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2325 CVE-2015-2326 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-3152
CVSS scores:	CVE-2015-2325 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2015-2326 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2015-3152 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Workstation Extension 12

An update that solves 12 vulnerabilities and has one security fix can now be installed.

Description:

  This update fixes the following security issues:
* Logjam attack: mysql uses 512 bit dh groups in SSL [bnc#934789]
* CVE-2015-3152: mysql --ssl does not enforce SSL [bnc#924663]
* CVE-2014-8964: heap buffer overflow [bnc#906574]
* CVE-2015-2325: heap buffer overflow in compile_branch() [bnc#924960]
* CVE-2015-2326: heap buffer overflow in pcre_compile2() [bnc#924961]
* CVE-2015-0501: unspecified vulnerability related to Server:Compiling (CPU April 2015) 
* CVE-2015-2571: unspecified vulnerability related to Server:Optimizer (CPU April 2015)
* CVE-2015-0505: unspecified vulnerability related to Server:DDL (CPU April 2015) 
* CVE-2015-0499: unspecified vulnerability related to Server:Federated (CPU April 2015) 
* CVE-2015-2568: unspecified vulnerability related to Server:Security:Privileges (CPU April 2015) 
* CVE-2015-2573: unspecified vulnerability related to Server:DDL (CPU April 2015)
* CVE-2015-0433: unspecified vulnerability related to Server:InnoDB:DML (CPU April 2015) 
* CVE-2015-0441: unspecified vulnerability related to Server:Security:Encryption (CPU April 2015)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-332=1
• SUSE Linux Enterprise Software Development Kit 12
  zypper in -t patch SUSE-SLE-SDK-12-2015-332=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-332=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-332=1
• SUSE Linux Enterprise Workstation Extension 12
  zypper in -t patch SUSE-SLE-WE-12-2015-332=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • mariadb-errormessages-10.0.20-18.1
  • libmysqlclient_r18-32bit-10.0.20-18.1
  • mariadb-client-10.0.20-18.1
  • libmysqlclient18-10.0.20-18.1
  • libmysqlclient_r18-10.0.20-18.1
  • libmysqlclient18-debuginfo-32bit-10.0.20-18.1
  • mariadb-10.0.20-18.1
  • mariadb-debuginfo-10.0.20-18.1
  • mariadb-debugsource-10.0.20-18.1
  • libmysqlclient18-32bit-10.0.20-18.1
  • mariadb-client-debuginfo-10.0.20-18.1
  • libmysqlclient18-debuginfo-10.0.20-18.1
• SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64)
  • libmysqld18-10.0.20-18.1
  • libmysqlclient_r18-10.0.20-18.1
  • libmysqlclient-devel-10.0.20-18.1
  • mariadb-debuginfo-10.0.20-18.1
  • mariadb-debugsource-10.0.20-18.1
  • libmysqld-devel-10.0.20-18.1
  • libmysqld18-debuginfo-10.0.20-18.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • mariadb-errormessages-10.0.20-18.1
  • mariadb-tools-debuginfo-10.0.20-18.1
  • mariadb-client-10.0.20-18.1
  • libmysqlclient18-10.0.20-18.1
  • mariadb-10.0.20-18.1
  • mariadb-debuginfo-10.0.20-18.1
  • mariadb-debugsource-10.0.20-18.1
  • mariadb-client-debuginfo-10.0.20-18.1
  • mariadb-tools-10.0.20-18.1
  • libmysqlclient18-debuginfo-10.0.20-18.1
• SUSE Linux Enterprise Server 12 (s390x x86_64)
  • libmysqlclient18-debuginfo-32bit-10.0.20-18.1
  • libmysqlclient18-32bit-10.0.20-18.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • mariadb-errormessages-10.0.20-18.1
  • mariadb-tools-debuginfo-10.0.20-18.1
  • mariadb-client-10.0.20-18.1
  • libmysqlclient18-10.0.20-18.1
  • libmysqlclient18-debuginfo-32bit-10.0.20-18.1
  • mariadb-10.0.20-18.1
  • mariadb-debuginfo-10.0.20-18.1
  • mariadb-debugsource-10.0.20-18.1
  • libmysqlclient18-32bit-10.0.20-18.1
  • mariadb-client-debuginfo-10.0.20-18.1
  • mariadb-tools-10.0.20-18.1
  • libmysqlclient18-debuginfo-10.0.20-18.1
• SUSE Linux Enterprise Workstation Extension 12 (x86_64)
  • mariadb-debuginfo-10.0.20-18.1
  • libmysqlclient_r18-10.0.20-18.1
  • mariadb-debugsource-10.0.20-18.1
  • libmysqlclient_r18-32bit-10.0.20-18.1

References:

• https://www.suse.com/security/cve/CVE-2014-8964.html
• https://www.suse.com/security/cve/CVE-2015-0433.html
• https://www.suse.com/security/cve/CVE-2015-0441.html
• https://www.suse.com/security/cve/CVE-2015-0499.html
• https://www.suse.com/security/cve/CVE-2015-0501.html
• https://www.suse.com/security/cve/CVE-2015-0505.html
• https://www.suse.com/security/cve/CVE-2015-2325.html
• https://www.suse.com/security/cve/CVE-2015-2326.html
• https://www.suse.com/security/cve/CVE-2015-2568.html
• https://www.suse.com/security/cve/CVE-2015-2571.html
• https://www.suse.com/security/cve/CVE-2015-2573.html
• https://www.suse.com/security/cve/CVE-2015-3152.html
• https://bugzilla.suse.com/show_bug.cgi?id=906574
• https://bugzilla.suse.com/show_bug.cgi?id=919053
• https://bugzilla.suse.com/show_bug.cgi?id=919062
• https://bugzilla.suse.com/show_bug.cgi?id=920865
• https://bugzilla.suse.com/show_bug.cgi?id=920896
• https://bugzilla.suse.com/show_bug.cgi?id=921333
• https://bugzilla.suse.com/show_bug.cgi?id=924663
• https://bugzilla.suse.com/show_bug.cgi?id=924960
• https://bugzilla.suse.com/show_bug.cgi?id=924961
• https://bugzilla.suse.com/show_bug.cgi?id=934789
• https://bugzilla.suse.com/show_bug.cgi?id=936407
• https://bugzilla.suse.com/show_bug.cgi?id=936408
• https://bugzilla.suse.com/show_bug.cgi?id=936409