Security update for mariadb

Announcement ID:	SUSE-SU-2018:3972-1
Rating:	important
References:	bsc#1013882 bsc#1101676 bsc#1101677 bsc#1101678 bsc#1103342 bsc#1112368 bsc#1112397 bsc#1112417 bsc#1112421 bsc#1112432 bsc#1116686
Cross-References:	CVE-2016-9843 CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066 CVE-2018-3143 CVE-2018-3156 CVE-2018-3174 CVE-2018-3251 CVE-2018-3282
CVSS scores:	CVE-2016-9843 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-9843 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-3058 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3058 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3058 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3063 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3063 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3063 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3064 ( SUSE ): 7.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3064 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3064 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3066 ( SUSE ): 3.3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3066 ( NVD ): 3.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3066 ( NVD ): 3.3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3143 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3143 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3156 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3156 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3174 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3174 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3174 ( NVD ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3251 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3251 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3251 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves 10 vulnerabilities and has one security fix can now be installed.

Description:

This update for mariadb fixes the following issues:

Update to MariaDB 10.0.37 GA (bsc#1116686).

Security issues fixed:

• CVE-2018-3282: Server Storage Engines unspecified vulnerability (CPU Oct 2018) (bsc#1112432)
• CVE-2018-3251: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112397)
• CVE-2018-3174: Client programs unspecified vulnerability (CPU Oct 2018) (bsc#1112368)
• CVE-2018-3156: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112417)
• CVE-2018-3143: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112421)
• CVE-2018-3066: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Options). (bsc#1101678)
• CVE-2018-3064: InnoDB unspecified vulnerability (CPU Jul 2018) (bsc#1103342)
• CVE-2018-3063: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Security Privileges). (bsc#1101677)
• CVE-2018-3058: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent MyISAM). (bsc#1101676)
• CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)

Release notes and changelog:

• https://kb.askmonty.org/en/mariadb-10037-release-notes
• https://kb.askmonty.org/en/mariadb-10037-changelog
• https://kb.askmonty.org/en/mariadb-10036-release-notes
• https://kb.askmonty.org/en/mariadb-10036-changelog

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2018-2833=1

Package List:

• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • libmysqld18-debuginfo-10.0.37-20.49.2
  • mariadb-tools-10.0.37-20.49.2
  • mariadb-debugsource-10.0.37-20.49.2
  • libmysqld-devel-10.0.37-20.49.2
  • mariadb-client-10.0.37-20.49.2
  • mariadb-10.0.37-20.49.2
  • mariadb-tools-debuginfo-10.0.37-20.49.2
  • libmysqlclient18-10.0.37-20.49.2
  • mariadb-client-debuginfo-10.0.37-20.49.2
  • libmysqlclient18-debuginfo-10.0.37-20.49.2
  • mariadb-errormessages-10.0.37-20.49.2
  • libmysqld18-10.0.37-20.49.2
  • mariadb-debuginfo-10.0.37-20.49.2
  • libmysqlclient-devel-10.0.37-20.49.2
  • libmysqlclient_r18-10.0.37-20.49.2
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • libmysqlclient18-32bit-10.0.37-20.49.2
  • libmysqlclient18-debuginfo-32bit-10.0.37-20.49.2

References:

• https://www.suse.com/security/cve/CVE-2016-9843.html
• https://www.suse.com/security/cve/CVE-2018-3058.html
• https://www.suse.com/security/cve/CVE-2018-3063.html
• https://www.suse.com/security/cve/CVE-2018-3064.html
• https://www.suse.com/security/cve/CVE-2018-3066.html
• https://www.suse.com/security/cve/CVE-2018-3143.html
• https://www.suse.com/security/cve/CVE-2018-3156.html
• https://www.suse.com/security/cve/CVE-2018-3174.html
• https://www.suse.com/security/cve/CVE-2018-3251.html
• https://www.suse.com/security/cve/CVE-2018-3282.html
• https://bugzilla.suse.com/show_bug.cgi?id=1013882
• https://bugzilla.suse.com/show_bug.cgi?id=1101676
• https://bugzilla.suse.com/show_bug.cgi?id=1101677
• https://bugzilla.suse.com/show_bug.cgi?id=1101678
• https://bugzilla.suse.com/show_bug.cgi?id=1103342
• https://bugzilla.suse.com/show_bug.cgi?id=1112368
• https://bugzilla.suse.com/show_bug.cgi?id=1112397
• https://bugzilla.suse.com/show_bug.cgi?id=1112417
• https://bugzilla.suse.com/show_bug.cgi?id=1112421
• https://bugzilla.suse.com/show_bug.cgi?id=1112432
• https://bugzilla.suse.com/show_bug.cgi?id=1116686