Security update for mariadb

Announcement ID:	SUSE-SU-2017:2034-1
Rating:	important
References:	bsc#1048715
Cross-References:	CVE-2017-3308 CVE-2017-3309 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464
CVSS scores:	CVE-2017-3308 ( NVD ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-3308 ( NVD ): 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-3309 ( NVD ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-3309 ( NVD ): 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-3453 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3453 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-3456 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2017-3456 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2017-3464 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2017-3464 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves five vulnerabilities can now be installed.

Description:

This MariaDB update to version 10.0.31 GA fixes the following issues:

Security issues fixed: - CVE-2017-3308: Subcomponent: Server: DML: Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3309: Subcomponent: Server: Optimizer: Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3453: Subcomponent: Server: Optimizer: Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3456: Subcomponent: Server: DML: Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3464: Subcomponent: Server: DDL: Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715)

Bug fixes: - XtraDB updated to 5.6.36-82.0 - TokuDB updated to 5.6.36-82.0 - Innodb updated to 5.6.36 - Performance Schema updated to 5.6.36

Release notes and changelog: - https://kb.askmonty.org/en/mariadb-10031-release-notes - https://kb.askmonty.org/en/mariadb-10031-changelog

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2017-1244=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2017-1244=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • mariadb-tools-10.0.31-20.29.1
  • mariadb-client-10.0.31-20.29.1
  • libmysqlclient-devel-10.0.31-20.29.1
  • libmysqlclient18-debuginfo-10.0.31-20.29.1
  • libmysqld18-debuginfo-10.0.31-20.29.1
  • libmysqlclient_r18-10.0.31-20.29.1
  • mariadb-client-debuginfo-10.0.31-20.29.1
  • libmysqlclient18-10.0.31-20.29.1
  • libmysqld-devel-10.0.31-20.29.1
  • libmysqlclient18-32bit-10.0.31-20.29.1
  • mariadb-tools-debuginfo-10.0.31-20.29.1
  • libmysqlclient18-debuginfo-32bit-10.0.31-20.29.1
  • libmysqld18-10.0.31-20.29.1
  • mariadb-errormessages-10.0.31-20.29.1
  • mariadb-debuginfo-10.0.31-20.29.1
  • mariadb-10.0.31-20.29.1
  • mariadb-debugsource-10.0.31-20.29.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • mariadb-client-10.0.31-20.29.1
  • mariadb-tools-10.0.31-20.29.1
  • libmysqlclient18-debuginfo-10.0.31-20.29.1
  • libmysqlclient-devel-10.0.31-20.29.1
  • libmysqld18-debuginfo-10.0.31-20.29.1
  • libmysqlclient_r18-10.0.31-20.29.1
  • libmysqlclient18-10.0.31-20.29.1
  • libmysqld-devel-10.0.31-20.29.1
  • mariadb-client-debuginfo-10.0.31-20.29.1
  • mariadb-tools-debuginfo-10.0.31-20.29.1
  • libmysqld18-10.0.31-20.29.1
  • mariadb-errormessages-10.0.31-20.29.1
  • mariadb-debuginfo-10.0.31-20.29.1
  • mariadb-10.0.31-20.29.1
  • mariadb-debugsource-10.0.31-20.29.1
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • libmysqlclient18-debuginfo-32bit-10.0.31-20.29.1
  • libmysqlclient18-32bit-10.0.31-20.29.1

References:

• https://www.suse.com/security/cve/CVE-2017-3308.html
• https://www.suse.com/security/cve/CVE-2017-3309.html
• https://www.suse.com/security/cve/CVE-2017-3453.html
• https://www.suse.com/security/cve/CVE-2017-3456.html
• https://www.suse.com/security/cve/CVE-2017-3464.html
• https://bugzilla.suse.com/show_bug.cgi?id=1048715