Advisories » MGASA-2018-0259

Updated mariadb packages fix security vulnerabilities

Publication date: 29 May 2018
Modification date: 29 May 2018
Type: security
Affected Mageia releases : 5
CVE: CVE-2018-2755 , CVE-2018-2761 , CVE-2018-2766 , CVE-2018-2771 , CVE-2018-2781 , CVE-2018-2782 , CVE-2018-2784 , CVE-2018-2787 , CVE-2018-2813 , CVE-2018-2817 , CVE-2018-2819

Description

Updated mariadb packages fix security vulnerabilities:

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Replication). Difficult to exploit vulnerability allows
unauthenticated attacker with logon to the infrastructure where MariaDB
Server executes to compromise MariaDB Server. Successful attacks require
human interaction from a person other than the attacker and while the
vulnerability is in MariaDB Server, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in takeover of MariaDB Server (CVE-2018-2755).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Client programs). Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MariaDB Server (CVE-2018-2761).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete DOS) of MariaDB
Server (CVE-2018-2766).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Locking). Difficult to exploit vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MariaDB Server (CVE-2018-2771).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: Optimizer). Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MariaDB Server (CVE-2018-2781).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete DOS) of MariaDB
Server (CVE-2018-2782).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete DOS) of MariaDB
Server (CVE-2018-2784).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete DOS) of MariaDB
Server as well as unauthorized update, insert or delete access to some of
MariaDB Server accessible data (CVE-2018-2787).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: DDL). Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
read access to a subset of MariaDB Server accessible data (CVE-2018-2813).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
Server: DDL). Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MariaDB Server (CVE-2018-2817).

Vulnerability in the MariaDB Server component of MariaDB (subcomponent:
InnoDB). Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete DOS) of MariaDB
Server (CVE-2018-2819).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23058
• https://mariadb.com/kb/en/library/mariadb-10035-release-notes/
• https://mariadb.org/mariadb-10-0-35-mariadb-galera-cluster-5-5-60-and-mariadb-connector-c-3-0-4-now-available/
• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2766
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2782
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2784
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2787
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819

SRPMS

5/core

• mariadb-10.0.35-1.mga5