-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:210 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : mariadb Date : October 28, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in mariadb: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS (CVE-2014-6464). Unspecified vulnerability in Oracle MySQL Server 5.5.39 and eariler and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER (CVE-2014-6469). Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML (CVE-2014-6507). Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML (CVE-2014-6555). Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING (CVE-2014-6559). The updated packages have been upgraded to the 5.5.40 version which is not vulnerable to these issues. Additionally MariaDB 5.5.40 removed the bundled copy of jemalloc from the source tarball and only builds with jemalloc if a system copy of the jemalloc library is detecting during the build. This update provides the jemalloc library packages to resolve this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559 https://mariadb.com/kb/en/mariadb/development/release-notes/mariadb-5540-release-notes/ http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html https://bugs.mageia.org/show_bug.cgi?id=14389 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: d3777064729ac827717ee166be4d6536 mbs1/x86_64/lib64jemalloc1-3.6.0-1.mbs1.x86_64.rpm 3544defe7a86633549c42285508dc09b mbs1/x86_64/lib64jemalloc-devel-3.6.0-1.mbs1.x86_64.rpm 412cf1c80ce6310949189a399019cd82 mbs1/x86_64/lib64mariadb18-5.5.40-1.1.mbs1.x86_64.rpm 354662572fd04b7b8e4bf2f6ea4ab1b6 mbs1/x86_64/lib64mariadb-devel-5.5.40-1.1.mbs1.x86_64.rpm eb88bc949042a53e31e07f231aaa79e9 mbs1/x86_64/lib64mariadb-embedded18-5.5.40-1.1.mbs1.x86_64.rpm 662b8680f36ef37b22546cb9cb7999f2 mbs1/x86_64/lib64mariadb-embedded-devel-5.5.40-1.1.mbs1.x86_64.rpm a46730286be82d1ac546517272004234 mbs1/x86_64/mariadb-5.5.40-1.1.mbs1.x86_64.rpm 07e236cfab3ac7c225a5b61c0f74498b mbs1/x86_64/mariadb-bench-5.5.40-1.1.mbs1.x86_64.rpm 4d277e041e4eac4f3da19e35b77f5958 mbs1/x86_64/mariadb-client-5.5.40-1.1.mbs1.x86_64.rpm 51ac1072841e4227f2082620e389b00a mbs1/x86_64/mariadb-common-5.5.40-1.1.mbs1.x86_64.rpm e7e7390b3dc47d105cb0735e884fc60b mbs1/x86_64/mariadb-common-core-5.5.40-1.1.mbs1.x86_64.rpm b1809dc518b89e3a986439db654fc92b mbs1/x86_64/mariadb-core-5.5.40-1.1.mbs1.x86_64.rpm c7a4f6e406a442e4c3b19a3ceccb211a mbs1/x86_64/mariadb-extra-5.5.40-1.1.mbs1.x86_64.rpm 6fe78e03875f2ec2227f6ef7d0f90e18 mbs1/x86_64/mariadb-feedback-5.5.40-1.1.mbs1.x86_64.rpm 1ef05e7a3532d97afb4dfa68f2d5b66a mbs1/x86_64/mariadb-obsolete-5.5.40-1.1.mbs1.x86_64.rpm 842bec02ddec2fd3dca28e907080aef5 mbs1/x86_64/mysql-MariaDB-5.5.40-1.1.mbs1.x86_64.rpm c820c46809e494c1d5ad83526d1f1ed1 mbs1/SRPMS/jemalloc-3.6.0-1.mbs1.src.rpm 7e6c522174ff1513cd9f09b2cf5feffc mbs1/SRPMS/mariadb-5.5.40-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUT0QSmqjQ0CJFipgRAmnhAKCOd9QLoxRrlcA8U4XLA46+ZhjfFwCfQzhY tRKQjAv7QAJqbwipIkIIC8Q= =uyHd -----END PGP SIGNATURE-----