Security update for mariadb

Announcement ID:	SUSE-SU-2019:2048-1
Rating:	important
References:	bsc#1013882 bsc#1101676 bsc#1101677 bsc#1101678 bsc#1103342 bsc#1112368 bsc#1112397 bsc#1112417 bsc#1112421 bsc#1112432 bsc#1116686 bsc#1118754 bsc#1132666 bsc#1136037
Cross-References:	CVE-2016-9843 CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066 CVE-2018-3143 CVE-2018-3156 CVE-2018-3174 CVE-2018-3251 CVE-2018-3282 CVE-2019-2529 CVE-2019-2537
CVSS scores:	CVE-2016-9843 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-9843 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-3058 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3058 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3058 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3063 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3063 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3063 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3064 ( SUSE ): 7.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3064 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3064 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3066 ( SUSE ): 3.3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3066 ( NVD ): 3.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3066 ( NVD ): 3.3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3143 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3143 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3156 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3156 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3174 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3174 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3174 ( NVD ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3251 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3251 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3251 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2529 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-2529 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-2529 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-2537 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2537 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2537 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Affected Products:	HPE Helion OpenStack 8 SUSE Enterprise Storage 4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8

An update that solves 12 vulnerabilities and has two security fixes can now be installed.

Description:

This update for mariadb fixes the following issues:

Update to MariaDB 10.0.38 GA (bsc#1136037).

Security issues fixed:

• CVE-2019-2537: Denial of service via multiple protocols (bsc#1136037)
• CVE-2019-2529: Denial of service via multiple protocols (bsc#1136037)
• CVE-2018-3282: Server Storage Engines unspecified vulnerability (CPU Oct 2018) (bsc#1112432)
• CVE-2018-3251: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112397)
• CVE-2018-3174: Client programs unspecified vulnerability (CPU Oct 2018) (bsc#1112368)
• CVE-2018-3156: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112417)
• CVE-2018-3143: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112421)
• CVE-2018-3066: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Options). (bsc#1101678)
• CVE-2018-3064: InnoDB unspecified vulnerability (CPU Jul 2018) (bsc#1103342)
• CVE-2018-3063: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Security Privileges). (bsc#1101677)
• CVE-2018-3058: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent MyISAM). (bsc#1101676)
• CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)

Non-security changes:

• Removed PerconaFT from the package as it has AGPL licence (bsc#1118754).
• Do not just remove tokudb plugin but don't build it at all (missing jemalloc dependency).
• Fixed reading options for multiple instances if my${INSTANCE}.cnf is used (bsc#1132666).
• Removed "umask 077" from mysql-systemd-helper that caused new datadirs created with wrong permissions (bsc#1132666).

Release notes and changelog:

• https://kb.askmonty.org/en/mariadb-10038-release-notes
• https://kb.askmonty.org/en/mariadb-10038-changelog
• https://kb.askmonty.org/en/mariadb-10037-release-notes
• https://kb.askmonty.org/en/mariadb-10037-changelog
• https://kb.askmonty.org/en/mariadb-10036-release-notes
• https://kb.askmonty.org/en/mariadb-10036-changelog

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• HPE Helion OpenStack 8
  zypper in -t patch HPE-Helion-OpenStack-8-2019-2048=1
• SUSE OpenStack Cloud 7
  zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2048=1
• SUSE OpenStack Cloud 8
  zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2048=1
• SUSE OpenStack Cloud Crowbar 8
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2048=1
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
  zypper in -t patch SUSE-SLE-POS-12-SP2-CLIENT-2019-2048=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2048=1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2048=1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2048=1
• SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2019-2048=1
• SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2048=1
• SUSE Enterprise Storage 4
  zypper in -t patch SUSE-Storage-4-2019-2048=1

Package List:

• HPE Helion OpenStack 8 (x86_64)
  • libmysqlclient18-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
• SUSE OpenStack Cloud 7 (x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3
• SUSE OpenStack Cloud 8 (x86_64)
  • libmysqlclient18-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
• SUSE OpenStack Cloud Crowbar 8 (x86_64)
  • libmysqlclient18-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (x86_64)
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • libmysqld18-debuginfo-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • libmysqlclient_r18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • libmysqlclient-devel-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • libmysqld18-10.0.38-29.27.3
  • libmysqld-devel-10.0.38-29.27.3
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (s390x x86_64)
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3
• SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3
• SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 (ppc64le s390x x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3
• SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 (s390x x86_64)
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
• SUSE Enterprise Storage 4 (x86_64)
  • libmysqlclient18-debuginfo-10.0.38-29.27.3
  • libmysqlclient18-debuginfo-32bit-10.0.38-29.27.3
  • mariadb-10.0.38-29.27.3
  • libmysqlclient18-32bit-10.0.38-29.27.3
  • mariadb-client-10.0.38-29.27.3
  • mariadb-debugsource-10.0.38-29.27.3
  • mariadb-errormessages-10.0.38-29.27.3
  • libmysqlclient18-10.0.38-29.27.3
  • mariadb-debuginfo-10.0.38-29.27.3
  • mariadb-tools-10.0.38-29.27.3
  • mariadb-tools-debuginfo-10.0.38-29.27.3
  • mariadb-client-debuginfo-10.0.38-29.27.3

References:

• https://www.suse.com/security/cve/CVE-2016-9843.html
• https://www.suse.com/security/cve/CVE-2018-3058.html
• https://www.suse.com/security/cve/CVE-2018-3063.html
• https://www.suse.com/security/cve/CVE-2018-3064.html
• https://www.suse.com/security/cve/CVE-2018-3066.html
• https://www.suse.com/security/cve/CVE-2018-3143.html
• https://www.suse.com/security/cve/CVE-2018-3156.html
• https://www.suse.com/security/cve/CVE-2018-3174.html
• https://www.suse.com/security/cve/CVE-2018-3251.html
• https://www.suse.com/security/cve/CVE-2018-3282.html
• https://www.suse.com/security/cve/CVE-2019-2529.html
• https://www.suse.com/security/cve/CVE-2019-2537.html
• https://bugzilla.suse.com/show_bug.cgi?id=1013882
• https://bugzilla.suse.com/show_bug.cgi?id=1101676
• https://bugzilla.suse.com/show_bug.cgi?id=1101677
• https://bugzilla.suse.com/show_bug.cgi?id=1101678
• https://bugzilla.suse.com/show_bug.cgi?id=1103342
• https://bugzilla.suse.com/show_bug.cgi?id=1112368
• https://bugzilla.suse.com/show_bug.cgi?id=1112397
• https://bugzilla.suse.com/show_bug.cgi?id=1112417
• https://bugzilla.suse.com/show_bug.cgi?id=1112421
• https://bugzilla.suse.com/show_bug.cgi?id=1112432
• https://bugzilla.suse.com/show_bug.cgi?id=1116686
• https://bugzilla.suse.com/show_bug.cgi?id=1118754
• https://bugzilla.suse.com/show_bug.cgi?id=1132666
• https://bugzilla.suse.com/show_bug.cgi?id=1136037