mariadb security update

CentOS Errata and Security Advisory CESA-2018:2439

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.

The following packages have been upgraded to a later upstream version: mariadb (5.5.60). (BZ#1584668, BZ#1584671, BZ#1584674, BZ#1601085)

Security Fix(es):

• mysql: Client programs unspecified vulnerability (CPU Jul 2017) (CVE-2017-3636)

• mysql: Server: DML unspecified vulnerability (CPU Jul 2017) (CVE-2017-3641)

• mysql: Client mysqldump unspecified vulnerability (CPU Jul 2017) (CVE-2017-3651)

• mysql: Server: Replication unspecified vulnerability (CPU Oct 2017) (CVE-2017-10268)

• mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) (CVE-2017-10378)

• mysql: Client programs unspecified vulnerability (CPU Oct 2017) (CVE-2017-10379)

• mysql: Server: DDL unspecified vulnerability (CPU Oct 2017) (CVE-2017-10384)

• mysql: Server: Partition unspecified vulnerability (CPU Jan 2018) (CVE-2018-2562)

• mysql: Server: DDL unspecified vulnerability (CPU Jan 2018) (CVE-2018-2622)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2640)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2665)

• mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) (CVE-2018-2668)

• mysql: Server: Replication unspecified vulnerability (CPU Apr 2018) (CVE-2018-2755)

• mysql: Client programs unspecified vulnerability (CPU Apr 2018) (CVE-2018-2761)

• mysql: Server: Locking unspecified vulnerability (CPU Apr 2018) (CVE-2018-2771)

• mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) (CVE-2018-2781)

• mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) (CVE-2018-2813)

• mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) (CVE-2018-2817)

• mysql: InnoDB unspecified vulnerability (CPU Apr 2018) (CVE-2018-2819)

• mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) (CVE-2017-3653)

• mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM) (CVE-2018-2767)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• Previously, the mysqladmin tool waited for an inadequate length of time if the socket it listened on did not respond in a specific way. Consequently, when the socket was used while the MariaDB server was starting, the mariadb service became unresponsive for a long time. With this update, the mysqladmin timeout has been shortened to 2 seconds. As a result, the mariadb service either starts or fails but no longer hangs in the described situation. (BZ#1584023)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2018-August/085157.html

Affected packages:
mariadb
mariadb-bench
mariadb-devel
mariadb-embedded
mariadb-embedded-devel
mariadb-libs
mariadb-server
mariadb-test

Upstream details at:
https://access.redhat.com/errata/RHSA-2018:2439