Security update for MariaDB SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1216-1 Final 1 1 2015-07-01T07:00:16Z current 2015-07-01T07:00:16Z 2015-07-01T07:00:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MariaDB MariaDB was updated to its current minor version, fixing bugs and security issues. These updates include a fix for Logjam (CVE-2015-4000), making MariaDB work with client software that no longer allows short DH groups over SSL, as e.g. our current openssl packages. On openSUSE 13.1, MariaDB was updated to 5.5.44. On openSUSE 13.2, MariaDB was updated from 10.0.13 to 10.0.20. Please read the release notes of MariaDB https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10019-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10018-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10017-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10016-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10015-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10014-release-notes/ for more information. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html E-Mail link for openSUSE-SU-2015:1216-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings libmysqlclient-devel-5.5.44-4.1 libmysqlclient18-5.5.44-4.1 libmysqlclient18-32bit-5.5.44-4.1 libmysqlclient_r18-5.5.44-4.1 libmysqlclient_r18-32bit-5.5.44-4.1 libmysqld-devel-5.5.44-4.1 libmysqld18-5.5.44-4.1 mariadb-5.5.44-4.1 mariadb-bench-5.5.44-4.1 mariadb-client-5.5.44-4.1 mariadb-errormessages-5.5.44-4.1 mariadb-test-5.5.44-4.1 mariadb-tools-5.5.44-4.1 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS. CVE-2014-6464 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6464.html CVE-2014-6464 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER. CVE-2014-6469 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6469.html CVE-2014-6469 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500. CVE-2014-6491 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6491.html CVE-2014-6491 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496. CVE-2014-6494 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6494.html CVE-2014-6494 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6494. CVE-2014-6496 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6496.html CVE-2014-6496 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491. CVE-2014-6500 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6500.html CVE-2014-6500 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. CVE-2014-6507 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6507.html CVE-2014-6507 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. CVE-2014-6555 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6555.html CVE-2014-6555 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING. CVE-2014-6559 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6559.html CVE-2014-6559 https://bugzilla.suse.com/901237 SUSE Bug 901237 https://bugzilla.suse.com/915912 SUSE Bug 915912 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. CVE-2014-6568 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-6568.html CVE-2014-6568 https://bugzilla.suse.com/914058 SUSE Bug 914058 https://bugzilla.suse.com/915911 SUSE Bug 915911 Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats. CVE-2014-8964 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2014-8964.html CVE-2014-8964 https://bugzilla.suse.com/906574 SUSE Bug 906574 https://bugzilla.suse.com/924960 SUSE Bug 924960 https://bugzilla.suse.com/933288 SUSE Bug 933288 https://bugzilla.suse.com/936408 SUSE Bug 936408 https://bugzilla.suse.com/958373 SUSE Bug 958373 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. CVE-2015-0374 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0374.html CVE-2015-0374 https://bugzilla.suse.com/914058 SUSE Bug 914058 https://bugzilla.suse.com/915911 SUSE Bug 915911 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. CVE-2015-0381 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0381.html CVE-2015-0381 https://bugzilla.suse.com/914058 SUSE Bug 914058 https://bugzilla.suse.com/915911 SUSE Bug 915911 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. CVE-2015-0382 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0382.html CVE-2015-0382 https://bugzilla.suse.com/914058 SUSE Bug 914058 https://bugzilla.suse.com/915911 SUSE Bug 915911 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. CVE-2015-0411 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0411.html CVE-2015-0411 https://bugzilla.suse.com/914058 SUSE Bug 914058 https://bugzilla.suse.com/915911 SUSE Bug 915911 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. CVE-2015-0432 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0432.html CVE-2015-0432 https://bugzilla.suse.com/914058 SUSE Bug 914058 https://bugzilla.suse.com/915911 SUSE Bug 915911 Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via vectors related to InnoDB : DML. CVE-2015-0433 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0433.html CVE-2015-0433 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936409 SUSE Bug 936409 Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Encryption. CVE-2015-0441 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0441.html CVE-2015-0441 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936409 SUSE Bug 936409 Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Federated. CVE-2015-0499 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0499.html CVE-2015-0499 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936408 SUSE Bug 936408 Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling. CVE-2015-0501 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0501.html CVE-2015-0501 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936408 SUSE Bug 936408 Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. CVE-2015-0505 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-0505.html CVE-2015-0505 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936408 SUSE Bug 936408 The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier. CVE-2015-2325 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-2325.html CVE-2015-2325 https://bugzilla.suse.com/924960 SUSE Bug 924960 https://bugzilla.suse.com/933288 SUSE Bug 933288 https://bugzilla.suse.com/936408 SUSE Bug 936408 https://bugzilla.suse.com/958373 SUSE Bug 958373 The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/". CVE-2015-2326 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-2326.html CVE-2015-2326 https://bugzilla.suse.com/924960 SUSE Bug 924960 https://bugzilla.suse.com/924961 SUSE Bug 924961 https://bugzilla.suse.com/933288 SUSE Bug 933288 https://bugzilla.suse.com/936408 SUSE Bug 936408 https://bugzilla.suse.com/958373 SUSE Bug 958373 Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote attackers to affect availability via unknown vectors related to Server : Security : Privileges. CVE-2015-2568 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-2568.html CVE-2015-2568 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936409 SUSE Bug 936409 Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. CVE-2015-2571 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-2571.html CVE-2015-2571 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936408 SUSE Bug 936408 Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. CVE-2015-2573 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-2573.html CVE-2015-2573 https://bugzilla.suse.com/927623 SUSE Bug 927623 https://bugzilla.suse.com/936409 SUSE Bug 936409 Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack. CVE-2015-3152 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-3152.html CVE-2015-3152 https://bugzilla.suse.com/1037590 SUSE Bug 1037590 https://bugzilla.suse.com/1047059 SUSE Bug 1047059 https://bugzilla.suse.com/1088681 SUSE Bug 1088681 https://bugzilla.suse.com/924663 SUSE Bug 924663 https://bugzilla.suse.com/928962 SUSE Bug 928962 https://bugzilla.suse.com/936407 SUSE Bug 936407 The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. CVE-2015-4000 important 7.3 AV:N/AC:H/Au:N/C:C/I:C/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00020.html https://www.suse.com/security/cve/CVE-2015-4000.html CVE-2015-4000 https://bugzilla.suse.com/1074631 SUSE Bug 1074631 https://bugzilla.suse.com/931600 SUSE Bug 931600 https://bugzilla.suse.com/931698 SUSE Bug 931698 https://bugzilla.suse.com/931723 SUSE Bug 931723 https://bugzilla.suse.com/931845 SUSE Bug 931845 https://bugzilla.suse.com/932026 SUSE Bug 932026 https://bugzilla.suse.com/932483 SUSE Bug 932483 https://bugzilla.suse.com/934789 SUSE Bug 934789 https://bugzilla.suse.com/935033 SUSE Bug 935033 https://bugzilla.suse.com/935540 SUSE Bug 935540 https://bugzilla.suse.com/935979 SUSE Bug 935979 https://bugzilla.suse.com/936168 SUSE Bug 936168 https://bugzilla.suse.com/937202 SUSE Bug 937202 https://bugzilla.suse.com/937724 SUSE Bug 937724 https://bugzilla.suse.com/937766 SUSE Bug 937766 https://bugzilla.suse.com/938248 SUSE Bug 938248 https://bugzilla.suse.com/938432 SUSE Bug 938432 https://bugzilla.suse.com/938895 SUSE Bug 938895 https://bugzilla.suse.com/938905 SUSE Bug 938905 https://bugzilla.suse.com/938906 SUSE Bug 938906 https://bugzilla.suse.com/938913 SUSE Bug 938913 https://bugzilla.suse.com/938945 SUSE Bug 938945 https://bugzilla.suse.com/941696 SUSE Bug 941696 https://bugzilla.suse.com/943664 SUSE Bug 943664 https://bugzilla.suse.com/944729 SUSE Bug 944729 https://bugzilla.suse.com/945582 SUSE Bug 945582 https://bugzilla.suse.com/955589 SUSE Bug 955589 https://bugzilla.suse.com/980406 SUSE Bug 980406 https://bugzilla.suse.com/990592 SUSE Bug 990592