Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Red Hat: RHSA-2016-2061-01 Critical: postgresql Vulnerability Exploit

Calendar Oct 13, 2016 User Avatar LinuxSecurity Advisories
2 - 4 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory privilege escalation bug fix important red hat enterprise openstack mariadb galera
An update for mariadb-galera is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: mariadb-galera security and bug fix update
Advisory ID:       RHSA-2016:2060-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:2060.html
Issue date:        2016-10-13
CVE Names:         CVE-2016-6662 
====================================================================
1. Summary:

An update for mariadb-galera is now available for Red Hat Enterprise Linux
OpenStack Platform 6.0 (Juno) for RHEL 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 - x86_64

3. Description:

MariaDB is a multi-user, multi-threaded SQL database server that is binary
compatible with MySQL. Galera is a synchronous multi-master cluster for
MariaDB.

Security Fix(es):

* It was discovered that the MySQL logging functionality allowed writing to
MySQL configuration files. An administrative database user, or a database
user with FILE privileges, could possibly use this flaw to run arbitrary
commands with root privileges on the system running the database server.
(CVE-2016-6662)

Bug Fix(es):

* Because Red Hat Enterprise Linux 7.3 changed the return format of the
"systemctl is-enabled" command as consumed by shell scripts, the
mariadb-galera RPM package, upon installation, erroneously detected that
the MariaDB service was enabled when it was not. As a result, the Red Hat
OpenStack Platform installer, which then tried to run mariadb-galera using
Pacemaker and not systemd, failed to start Galera. With this update,
mariadb-galera's RPM installation scripts now use a different systemctl
command, correctly detecting the default MariaDB as disabled, and the
installer can succeed. (BZ#1376909)

* Previously, both the mariadb-server and mariadb-galera-server packages
shipped the client-facing libraries, dialog.so and mysql_clear_password.so.
As a result, the mariadb-galera-server package would fail to install
because of package conflicts. With this update, these libraries have been
moved from mariadb-galera-server to mariadb-libs, and the
mariadb-galera-server package installs successfully. (BZ#1376903)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1375198 - CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation
1376903 - RHEL 7.3 upgrades fails on upgrade because of mariadb-libs package conflict.
1376909 - mysqld service prevents haproxy to get started and deployment fails

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7:

Source:
mariadb-galera-5.5.42-1.2.el7ost.src.rpm

x86_64:
mariadb-galera-common-5.5.42-1.2.el7ost.x86_64.rpm
mariadb-galera-debuginfo-5.5.42-1.2.el7ost.x86_64.rpm
mariadb-galera-server-5.5.42-1.2.el7ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key

7. References:

https://access.redhat.com/security/cve/CVE-2016-6662
https://access.redhat.com/security/updates/classification#important
https://access.redhat.com/security/cve/CVE-2016-6662

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFX/+n4XlSAg2UNWIIRAqiYAKCmra9Lgje5oDlMbH8GxPJJMpsMogCfSb30
92s2svQXFq4UxaT7xg3sE78=QfH5
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat: RHSA-2016-2061-01 Critical: postgresql Vulnerability Exploit

red hat
Calendar Grey October 13, 2016
Dist Redhat Esm H88
A significant update addressing security vulnerabilities and bugs in mariadb-galera has been launched for Red Hat OpenStack Platform 6.0, with essential implications.
An update for mariadb-galera is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically.

Summary

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Galera is a synchronous multi-master cluster for MariaDB.
Security Fix(es):
* It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662)
Bug Fix(es):
* Because Red Hat Enterprise Linux 7.3 changed the return format of the "systemctl is-enabled" command as consumed by shell scripts, the mariadb-galera RPM package, upon installation, erroneously detected that the MariaDB service was enabled when it was not. As a result, the Red Hat OpenStack Platform installer, which then tried to run mariadb-galera using Pacemaker and not systemd, failed to start Galera. With this update, mariadb-galera's RPM installation scripts now use a different systemctl command, correctly detecting the default MariaDB as disabled, and the installer can succeed. (BZ#1376909)
* Previously, both the mariadb-server and mariadb-galera-server packages shipped the client-facing libraries, dialog.so and mysql_clear_password.so. As a result, the mariadb-galera-server package would fail to install because of package conflicts. With this update, these libraries have been moved from mariadb-galera-server to mariadb-libs, and the mariadb-galera-server package installs successfully. (BZ#1376903)

Topics%20covered

Topics Covered

security advisory privilege escalation bug fix important red hat enterprise openstack mariadb galera

References

https://access.redhat.com/security/cve/CVE-2016-6662 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/security/cve/CVE-2016-6662

Package List

Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7:
Source: mariadb-galera-5.5.42-1.2.el7ost.src.rpm
x86_64: mariadb-galera-common-5.5.42-1.2.el7ost.x86_64.rpm mariadb-galera-debuginfo-5.5.42-1.2.el7ost.x86_64.rpm mariadb-galera-server-5.5.42-1.2.el7ost.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2016:2060-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:2060.html
Issue date: 2016-10-13

Topic

An update for mariadb-galera is now available for Red Hat Enterprise LinuxOpenStack Platform 6.0 (Juno) for RHEL 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory privilege escalation bug fix important red hat enterprise openstack mariadb galera

Relevant Releases Architectures

Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 - x86_64

Bugs Fixed

1375198 - CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation

1376903 - RHEL 7.3 upgrades fails on upgrade because of mariadb-libs package conflict.

1376909 - mysqld service prevents haproxy to get started and deployment fails

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here