Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Red Hat 7: RHSA-2016:1132-01 Important: MariaDB Security Notice

red hat
Calendar Grey May 26, 2016
Dist Redhat Esm H88
Oracle provides a Critical security update for Oracle Database 19c featuring essential patches to mitigate threats.
An update for rh-mariadb100-mariadb is now available for Red Hat Software Collections

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically.

Summary

MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL. MariaDB uses PCRE, a Perl-compatible regular expression library, to implement regular expression support in SQL queries.
Security Fix(es):
* It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. (CVE-2016-2047)
* This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2015-4792, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4879, CVE-2015-4895, CVE-2015-4913, CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0610, CVE-2016-0616, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0655, CVE-2016-0666, CVE-2016-0668)
* Multiple flaws were found in the way PCRE handled malformed regular expressions. An attacker able to make MariaDB execute an SQL query with a specially crafted regular expression could use these flaws to cause it to crash or, possibly, execute arbitrary code. (CVE-2015-3210, CVE-2015-3217, CVE-2015-5073, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8395, CVE-2016-1283, CVE-2016-3191)

Topics%20covered

Topics Covered

security advisory update red hat security fix important mariadb sql

References

https://access.redhat.com/security/cve/CVE-2015-3210 https://access.redhat.com/security/cve/CVE-2015-3217 https://access.redhat.com/security/cve/CVE-2015-4792 https://access.redhat.com/security/cve/CVE-2015-4802 https://access.redhat.com/security/cve/CVE-2015-4815 https://access.redhat.com/security/cve/CVE-2015-4816 https://access.redhat.com/security/cve/CVE-2015-4819 https://access.redhat.com/security/cve/CVE-2015-4826 https://access.redhat.com/security/cve/CVE-2015-4830 https://access.redhat.com/security/cve/CVE-2015-4836 https://access.redhat.com/security/cve/CVE-2015-4858 https://access.redhat.com/security/cve/CVE-2015-4861 https://access.redhat.com/security/cve/CVE-2015-4870 https://access.redhat.com/security/cve/CVE-2015-4879 https://access.redhat.com/security/cve/CVE-2015-4895 https://access.redhat.com/security/cve/CVE-2015-4913 https://access.redhat.com/security/cve/CVE-2015-5073 https://access.redhat.com/security/cve/CVE-2015-8381 https://access.redhat.com/security/cve/CVE-2015-8383 https://access.redhat.com/security/cve/CVE-2015-8384 https://access.redhat.com/security/cve/CVE-2015-8385 https://access.redhat.com/security/cve/CVE-2015-8386 https://access.redhat.com/security/cve/CVE-2015-8388 https://access.redhat.com/security/cve/CVE-2015-8391 Read the Full Advisory

Package List

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source: rh-mariadb100-mariadb-10.0.25-4.el6.src.rpm
x86_64: rh-mariadb100-mariadb-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-bench-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-common-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-config-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-debuginfo-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-devel-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-errmsg-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-oqgraph-engine-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-server-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-test-10.0.25-4.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):
Source: rh-mariadb100-mariadb-10.0.25-4.el6.src.rpm
x86_64: rh-mariadb100-mariadb-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-bench-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-common-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-config-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-debuginfo-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-devel-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-errmsg-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-oqgraph-engine-10.0.25-4.el6.x86_64.rpm rh-mariadb100-mariadb-server-10.0.25-4.el6.x86_64.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2016:1132-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1132
Issue date: 2016-05-26

Topic

An update for rh-mariadb100-mariadb is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory update red hat security fix important mariadb sql

Relevant Releases Architectures

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Bugs Fixed

1228283 - CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11)

1237223 - CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)

1274752 - CVE-2015-4792 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015)

1274756 - CVE-2015-4802 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015)

1274759 - CVE-2015-4815 mysql: unspecified vulnerability related to Server:DDL (CPU October 2015)

1274761 - CVE-2015-4816 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015)

1274764 - CVE-2015-4819 mysql: unspecified vulnerability related to Client programs (CPU October 2015)

1274766 - CVE-2015-4826 mysql: unspecified vulnerability related to Server:Types (CPU October 2015)

1274767 - CVE-2015-4830 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015)

1274771 - CVE-2015-4836 mysql: unspecified vulnerability related to Server:SP (CPU October 2015)

1274773 - CVE-2015-4858 mysql: unspecified vulnerability related to Server:DML (CPU October 2015)

1274776 - CVE-2015-4861 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015)

1274781 - CVE-2015-4870 mysql: unspecified vulnerability related to Server:Parser (CPU October 2015)

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here