Debian Bug report logs -
#885345
mariadb-10.1: CVE-2017-15365: Replication in sql/event_data_objects.cc occurs before ACL checks
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 26 Dec 2017 14:18:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions mariadb-10.1/1:10.1.29-6, mariadb-10.1/10.1.23-1
Fixed in versions mariadb-10.1/1:10.1.34-1, mariadb-10.1/10.1.37-0+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#885345; Package src:mariadb-10.1.
(Tue, 26 Dec 2017 14:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Tue, 26 Dec 2017 14:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mariadb-10.1
Version: 1:10.1.29-6
Severity: important
Tags: security upstream fixed-upstream
Control: found -1 10.1.23-1
Hi,
the following vulnerability was published for mariadb-10.1, this is
fixed in 10.1.30.
CVE-2017-15365[0]:
Replication in sql/event_data_objects.cc occurs before ACL checks
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1524234
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions mariadb-10.1/10.1.23-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 26 Dec 2017 14:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#885345; Package src:mariadb-10.1.
(Fri, 29 Dec 2017 12:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Fri, 29 Dec 2017 12:30:03 GMT) (full text, mbox, link).
Message #12 received at 885345@bugs.debian.org (full text, mbox, reply):
FYI, I have been working on this since yesterday, but there is a lot
of things to clean up / fix due to upstream Debian packaging changes
in a stable release, packaging changes by Ondrej in our Debian
packaging git repo so I need to adapt a new workflow for myself, and
then the fact that 10.1.29 was made and git committed for stable point
release upload, but it wasn't accepted.
(release team didn't respond to Ondrej's last message on Dec 11th at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882909)
So things are in progress but moving slowly unfortunately..
2017-12-26 16:15 GMT+02:00 Salvatore Bonaccorso <carnil@debian.org>:
> Source: mariadb-10.1
> Version: 1:10.1.29-6
> Severity: important
> Tags: security upstream fixed-upstream
> Control: found -1 10.1.23-1
>
>
> Hi,
>
> the following vulnerability was published for mariadb-10.1, this is
> fixed in 10.1.30.
>
> CVE-2017-15365[0]:
> Replication in sql/event_data_objects.cc occurs before ACL checks
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-15365
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15365
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1524234
>
> Please adjust the affected versions in the BTS as needed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#885345; Package src:mariadb-10.1.
(Sat, 30 Dec 2017 16:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Sat, 30 Dec 2017 16:12:04 GMT) (full text, mbox, link).
Message #17 received at 885345@bugs.debian.org (full text, mbox, reply):
I have prepared 10.1.30 for upload to Stretch and work is pushed to
git.debian.org.
CVE entries are updated
https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.1.git/commit/?h=stretch
Currently the test builds on arm64 are failing:
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all
I am looking into them..
Please advice what to do with the point release of .29 vs security
update of .30 situation.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#885345; Package src:mariadb-10.1.
(Tue, 02 Jan 2018 12:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Tue, 02 Jan 2018 12:03:03 GMT) (full text, mbox, link).
Message #22 received at 885345@bugs.debian.org (full text, mbox, reply):
2017-12-30 18:10 GMT+02:00 Otto Kekäläinen <otto@debian.org>:
> I have prepared 10.1.30 for upload to Stretch and work is pushed to
> git.debian.org.
> CVE entries are updated
> https://anonscm.debian.org/cgit/pkg-mysql/mariadb-10.1.git/commit/?h=stretch
>
> Currently the test builds on arm64 are failing:
> https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all
> I am looking into them..
arm64 issue is now patched and the freshly pushed stretch branch is
ready for upload as security update to stretch if that is the correct
thing to do now.
Please advice.
Marked as fixed in versions mariadb-10.1/1:10.1.34-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Aug 2018 05:39:08 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Aug 2018 05:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 02 Aug 2018 05:39:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 11 Sep 2018 07:26:55 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 19 Nov 2018 20:39:03 GMT) (full text, mbox, link).
Marked as fixed in versions mariadb-10.1/10.1.37-0+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 19 Nov 2018 20:45:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 Jan 2019 07:30:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Sep 19 09:31:18 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.