-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:028 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : mariadb Date : February 13, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in mariadb: Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string (CVE-2014-0001). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB (CVE-2014-0412). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer (CVE-2014-0437). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling (CVE-2013-5908). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication (CVE-2014-0420). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB (CVE-2014-0393). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition (CVE-2013-5891). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer (CVE-2014-0386). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors (CVE-2014-0401). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking (CVE-2014-0402). The updated packages have been upgraded to the 5.5.35 version which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0402 http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html https://mariadb.com/kb/en/mariadb-5535-release-notes/ _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: c4506e2f821bb960753f87e0e4ae358e mbs1/x86_64/lib64mariadb18-5.5.35-1.mbs1.x86_64.rpm 0aabce801de937cf7d0b6e370337ee59 mbs1/x86_64/lib64mariadb-devel-5.5.35-1.mbs1.x86_64.rpm ebec92fb0f77f15039c75970da2fb016 mbs1/x86_64/lib64mariadb-embedded18-5.5.35-1.mbs1.x86_64.rpm 5cbc3bef79b6088611b8e9d949721ca1 mbs1/x86_64/lib64mariadb-embedded-devel-5.5.35-1.mbs1.x86_64.rpm 1aec9579d6bb0c9846bcc19ff6d77d64 mbs1/x86_64/mariadb-5.5.35-1.mbs1.x86_64.rpm a727ddd8d4b38a5423d1f996a77b37a9 mbs1/x86_64/mariadb-bench-5.5.35-1.mbs1.x86_64.rpm 6322005c7cca10c2b069a31c68f74bca mbs1/x86_64/mariadb-client-5.5.35-1.mbs1.x86_64.rpm 39a528d1e4ea9bd4e070229f69af0097 mbs1/x86_64/mariadb-common-5.5.35-1.mbs1.x86_64.rpm ba9f6a9adf6e054851c8cb0b4c97480c mbs1/x86_64/mariadb-common-core-5.5.35-1.mbs1.x86_64.rpm 11a4d25702a5e780d450dd6b0879cc95 mbs1/x86_64/mariadb-core-5.5.35-1.mbs1.x86_64.rpm fcf494519bd55dfa5593cbe58598754c mbs1/x86_64/mariadb-extra-5.5.35-1.mbs1.x86_64.rpm 8ead8373395845ad6f6dc9b3c6385b0b mbs1/x86_64/mariadb-feedback-5.5.35-1.mbs1.x86_64.rpm c00dbc345b919e9af97e23e96ce02b1c mbs1/x86_64/mariadb-obsolete-5.5.35-1.mbs1.x86_64.rpm bd38c748f41973aa392926a759789fb7 mbs1/x86_64/mysql-MariaDB-5.5.35-1.mbs1.x86_64.rpm e51a1d26d85b936c5125ec805017e1a3 mbs1/SRPMS/mariadb-5.5.35-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/P3AmqjQ0CJFipgRAmrGAJwJ8BrBCtFOIusEbRdyvqnddPP9swCbBpuS H1WPjNNs8EGZD21sPYvAkuQ= =Xr1S -----END PGP SIGNATURE-----
